b"               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Improvements Needed in\n                     EPA\xe2\x80\x99s Smartcard Program\n                     to Ensure Consistent\n                     Physical Access Procedures\n                     and Cost Reasonableness\n                     Report No. 13-P-0200                    March 27, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Patrick Gilbride\n                                                   Randy Holthaus\n                                                   Raul Adrian\n                                                   Lawrence Gunn\n                                                   Kevin Lawrence\n\n\n\nAbbreviations\n\nCID           Criminal Investigation Division\nDHS           U.S. Department of Homeland Security\nEPA           U.S. Environmental Protection Agency\nEPASS         Environmental Protection Agency Personnel Access and Security System\nFAR           Federal Acquisition Regulation\nFICAM         Federal Identity, Credential, and Access Management\nFIPS          Federal Information Processing Standards\nGAO           U.S. Government Accountability Office\nGSA           U.S. General Services Administration\nHSPD-12       Homeland Security Presidential Directive-12\nIGCE          Independent Government Cost Estimate\nOAM           Office of Acquisition Management\nOARM          Office of Administration and Resources Management\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPACS          Physical Access Control System\nPIN           Personal Identification Number\nPIV           Personal Identity Verification\nSMD           Security Management Division\nSOP           Standard Operating Procedures\n\n\nCover photos:    From left: a smartcard reader in the EPA Region 6 office in Dallas, Texas;\n                 EPA West, which is part of EPA headquarters. (EPA OIG photos)\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue, NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                13-P-0200\n                                                                                                          March 27, 2013\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Improvements Needed in EPA\xe2\x80\x99s Smartcard\nHomeland Security Presidential      Program to Ensure Consistent Physical\nDirective-12 (HSPD-12) and          Access Procedures and Cost Reasonableness\nsubsequent requirements state\nthat inconsistent approaches to\nphysical access are inefficient      What We Found\nand costly, and increase risk to\nthe federal government.             Contrary to its plans, EPA upgraded some less critical facilities prior to its most\nWe conducted this audit to          important facilities (including EPA headquarters). EPA stated it was more efficient\ndetermine whether the U.S.          to upgrade facilities based on geographic location rather than importance, but\nEnvironmental Protection            provided no quantitative data to support that position. In addition, EPA indicated it\nAgency (EPA) upgraded               did not want to make mistakes upgrading headquarters buildings so it upgraded\nphysical access control             others first. As a result, some lower valued facilities required a higher level of\nsystems consistent with the         authentication for access than EPA headquarters facilities.\ngoals of HSPD-12 and\nsubsequent requirements. We         The processes used to gain access are inconsistent and not yet inter-operable\nalso evaluated whether EPA          (can be used by all federal employees including those outside EPA) or\nacquired and deployed               intra-operable (can be used by any EPA employee). This occurred because EPA\nsmartcard technology in an          had not developed national physical access procedures to foster consistency. As\nefficient and effective manner.     a result, EPA is not realizing potential benefits associated with a standardized\n                                    process.\nThis report addresses the\nfollowing EPA Goal or               EPA did not document assurance of cost reasonableness for some of the\nCross-Cutting Strategy:             physical access control system contracts. EPA had spent over $12.8 million\n                                    upgrading physical access control systems and could not assure that $3.8 million\n                                    of that amount (30 percent) was spent in the most efficient and effective manner.\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s\n                                    EPA planned to award an additional $10.6 million to upgrade its systems.\n  workforce and capabilities.\n\n                                     Recommendations and Planned Agency Corrective Actions\n\n                                    We recommend that EPA re-prioritize the remaining facility upgrades by security\n                                    level, from highest to lowest, and develop national policies and procedures that\n                                    foster consistent inter-operable physical access. We also recommend that EPA\n                                    establish an entity for overseeing EPA\xe2\x80\x99s smartcard program, conduct cost\n                                    analysis of smartcard upgrades, and enforce guidelines for independent\n                                    government cost estimates. EPA agreed with two of our five recommendations.\nFor further information, contact\n                                    For the other three recommendations, EPA proposed alternative corrective\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.   actions that we believe address our findings.\n\nThe full report is at:\nwww.epa.gov/oig/reports/2013/\n20130327-13-P-0200.pdf\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n\n\n                                                                                 THE INSPECTOR GENERAL\n\n\n\n                                          March 27, 2013\n\nMEMORANDUM\n\nSUBJECT:\t Improvements Needed in EPA\xe2\x80\x99s Smartcard Program to Ensure Consistent\n          Physical Access Procedures and Cost Reasonableness\n          Report No. 13-P-0200\n\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Bob Perciasepe\n               Deputy Administrator\n\n               Craig E. Hooks\n               Assistant Administrator\n               Office of Administration and Resources Management\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determination on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nAction Required\nThe Agency did not concur with recommendations 1 and 2 and proposed acceptable alternative\ncorrective actions. The Agency concurred with recommendations 3 and 4 and partially concurred\nwith recommendation 5. On recommendation 5, parts c and d, the Agency provided acceptable\nproposed alternative corrective actions. We accept EPA\xe2\x80\x99s response and planned corrective\nactions for all five recommendations and no further response is needed. We have no objections to\nthe further release of this report to the public. We will post this report to our website at\nhttp://www.epa.gov/oig.\n\nWe request that EPA provide the OIG with: (1) copies of the upgraded physical access control\nsystem planning documents submitted to the Office of Management and Budget in 2012;\n(2) its updated EPA Personnel Access and Security System project management plan; (3) the\nupdate to EPA Order 3200, EPA Personal Identity Verification and Smartcard Program when\nfinalized; (4) a copy of its policy titled Use of the PIV Card for Facility Access when finalized;\n\x0c(5) documents that demonstrate EPA\xe2\x80\x99s final decision on which office will oversee its smartcard\nprogram; and (6) a copy of any new guidance or policy issued that further details how and when\nindependent government cost estimates should be prepared.\n\nIf you or your staff have any questions regarding this report, please contact Melissa Heist,\nAssistant Inspector General for Audit, at (202) 566-0899 or Heist.Melissa@epa.gov; or Patrick\nGilbride, Product Line Director, at (303) 312-6969 or Gilbride.Patrick@epa.gov.\n\x0cImprovements Needed in EPA\xe2\x80\x99s Smartcard Program to Ensure                                                                    13-P-0200\nConsistent Physical Access Procedures and Cost Reasonableness\n\n\n                                  Table of Contents \n\nChapters\n   1\t   Introduction ...........................................................................................................      1\n\n\n                Purpose ..........................................................................................................    1     \n\n                Background ....................................................................................................       1     \n\n                Scope and Methodology.................................................................................                2\n\n                Prior Audit Reports .........................................................................................         3\n\n\n   2\t   EPA Did Not Upgrade Most Critical Facilities First ...........................................                                4\n\n\n                Implementation Plans Not Followed ..............................................................                      4\n\n                EPA Upgraded 29 of Its Less Important Facilities Before\n                      Upgrading Its Most Critical Assets........................................................                      5\n\n                Importance of Facilities Not a Priority for Initiating Upgrades.........................                              6\n\n                Conclusions....................................................................................................       7\n\n                Recommendation ...........................................................................................            8\n\n                Agency Comments and OIG Evaluation .........................................................                          8\n\n\n   3\t   EPA\xe2\x80\x99s Physical Access Control Systems Not Inter-Operable \n\n        or Intra-Operable ...................................................................................................         9\n\n\n                Physical Access Control Systems Should Be Inter-Operable ........................                                     9\n\n                EPA Uses Various Processes for Physical Access Control ...........................                                   10 \n\n                EPA Does Not Have National Procedures for Physical Access .....................                                      12 \n\n                EPA Needs to Designate a Single Office to Administer Its\n                      Smartcard Program ..............................................................................               13 \n\n                EPA Not Maximizing Efficiency and Security Within PACS............................                                   13 \n\n                Conclusions....................................................................................................      14 \n\n                Recommendations .........................................................................................            14 \n\n                Agency Comments and OIG Evaluation .........................................................                         14\n\n\n   4\t   EPA Acquired and Deployed Smartcard Technology\n\n        Without Assuring Costs Were Reasonable ........................................................ 16 \n\n\n                Cost Data and Documentation Requirements ................................................                            16 \n\n                EPA Did Not Maintain Sufficient Documentation to Support\n                      PACS Decisions ...................................................................................             18 \n\n                Project and Contract Management Staff Did Not Assure\n                      Adequate Data Were Maintained .........................................................                        20 \n\n                Conclusions....................................................................................................      20 \n\n                Recommendations .........................................................................................            21 \n\n                Agency Comments and OIG Evaluation .........................................................                         21 \n\n\n   Status of Recommendations and Potential Monetary Benefits................................. 24 \n\n\n                                                           - continued-\n\x0cImprovements Needed in EPA\xe2\x80\x99s Smartcard Program to Ensure                                                                13-P-0200\nConsistent Physical Access Procedures and Cost Reasonableness\n\n\n\nAppendices\n   A    Details on Scope and Methodology .................................................................... 25 \n\n\n   B    Prior OIG and GAO Audit Reports ....................................................................... 26 \n\n\n   C    List of Contracts Awarded as of March 2012 for PACS Upgrades ................... 29 \n\n\n   D    Agency Response ................................................................................................. 30 \n\n\n   E    Distribution ............................................................................................................ 45 \n\n\x0c                                  Chapter 1\n\n                                   Introduction\nPurpose\n            On August 27, 2004, President George W. Bush signed Homeland Security\n            Presidential Directive-12 (HSPD-12). The directive states, \xe2\x80\x9cit is the policy of the\n            United States to enhance security, increase Government efficiency, reduce\n            identity fraud, and protect personal privacy by establishing a mandatory,\n            Government-wide standard for secure and reliable forms of identification issued\n            by the Federal Government to its employees and contractors (including contractor\n            employees).\xe2\x80\x9d Agencies are still working to implement HSPD-12 and project\n            milestones set by the Office of Management and Budget (OMB).\n\n            The purpose of this audit was to determine whether the U.S. Environmental\n            Protection Agency (EPA) upgraded physical access control systems (PACS)\n            consistent with the goals of HSPD-12 and subsequent requirements. We also\n            sought to determine whether EPA acquired and deployed smartcard technology in\n            an efficient and effective manner.\n\nBackground\n            In March 2007, in response to HSPD-12, EPA began issuing smartcards\xe2\x80\x94the\n            required common form of federal identification\xe2\x80\x94to eligible EPA employees.\n            EPA\xe2\x80\x99s physical resources include its office buildings, laboratories, storage\n            centers, and other physical structures. PACS are the systems that control access to\n            EPA\xe2\x80\x99s physical resources.\n\n            As of September 2011, EPA informed us it had 156 facilities nationwide. EPA\n            planned to upgrade 65 of those 156 facilities with PACS. By the end of 2011,\n            EPA had either completed or started upgrading 39 facilities. EPA plans to\n            upgrade an additional 26 facilities by the end of 2014, and be HSPD-12 compliant\n            by September 30, 2015.\n\n            EPA plans to spend a total of $55.8 million through fiscal year 2015 for its\n            Environmental Protection Agency Personnel Access and Security System\n            (EPASS) program. The EPASS program includes all components of personnel\n            access, from developing and issuing ID cards (smartcards) to the technology and\n            processes used to grant access to buildings and computers. According to data EPA\n            provided OMB, EPA spent $32.2 million to upgrade smartcard technology\n            through July 2011 (which includes upgrading computers as well as physical\n            locations) and plans to spend about $23.6 million over the next 4 years for its\n            EPASS program.\n\n13-P-0200                                                                                     1\n\x0c            EPA is in the process of upgrading its PACS. In addition to providing access that\n            is intra-operable throughout the Agency, EPA is required to upgrade PACS in a\n            way that allows inter-operability with other federal agencies. For purposes of this\n            report, intra-operability means that EPA employees can easily gain access to EPA\n            facilities using their smartcards and PACS technology when they have an\n            authorized business reason to do so.\n\n            EPA\xe2\x80\x99s Security Management Division (SMD) is responsible for upgrading PACS\n            to comply with HSPD-12. SMD is within the Office of Administration and\n            Resources Management\xe2\x80\x99s (OARM) Office of Administration (OA), which is\n            responsible for the acquisition of all Agency facilities, property management, and\n            property security. EPA\xe2\x80\x99s Office of Acquisition Management (OAM) is\n            responsible for awarding and managing contracts, including those to implement\n            HSPD-12. EPA\xe2\x80\x99s Office of Environmental Information (OEI) is responsible for\n            upgrades related to computer and information systems needed to comply with\n            HSPD-12.\n\n            Since the time President Bush signed HSPD-12 in 2004, the U.S. Department of\n            Commerce and OMB developed documents that detail requirements and offer\n            guidance for implementing the smartcard program:\n\n               \xef\x82\xb7\t The U.S. Department of Commerce issued the Federal Information\n                  Processing Standards (FIPS) 201 in February 2005. FIPS 201 lays out the\n                  requirements for a common identification standard (to implement HSPD-\n                  12) for all federal employees and contractors. In March 2006, the U.S.\n                  Department of Commerce updated FIPS 201 by issuing FIPS 201-1.\n               \xef\x82\xb7 OMB issued M-05-24 in August 2005 to all federal departments and\n                  agencies to transmit HSPD-12 and provide associated guidance.\n               \xef\x82\xb7 OMB issued M-06-18 in June 2006 and established a set of parameters for\n                  acquiring products and services for implementing HSPD-12.\n               \xef\x82\xb7\t OMB issued M-11-11 in February 2011, which included a memorandum\n                  from the U.S. Department of Homeland Security (DHS). The memo\n                  outlined a plan of action for agencies to expedite the full use of the\n                  smartcard credentials for access to federal facilities and information\n                  systems.\n\nScope and Methodology\n            We conducted our audit from June 2011 to November 2012 in accordance with\n            generally accepted government auditing standards. Those standards require that\n            we obtain sufficient, appropriate evidence to provide a reasonable basis for our\n            findings and conclusions based on our evaluation objectives. We believe that the\n            evidence obtained provides a reasonable basis for our findings and conclusions\n            based on our objectives.\n\n\n\n\n13-P-0200                                                                                      2\n\x0c            During our audit, we reviewed HSPD-12 and other supporting federal criteria as\n            well as EPA\xe2\x80\x99s policies and plans for implementing its smartcard program. We\n            also reviewed relevant documentation for each of the contracts EPA awarded to\n            upgrade physical and logical access control systems. We interviewed EPA\n            headquarters managers and staff from OARM\xe2\x80\x99s SMD and OAM, and from OEI.\n            We also conducted a site visit to Region 1 in Boston, Massachusetts, and\n            interviewed PACS coordinators from all regions where EPA had upgraded PACS.\n            Appendix A provides further details on our scope and methodology.\n\n            In addition to PACS, HSPD-12 involves upgrading logical access control systems.\n            Logical resources include computers and information systems that EPA\n            employees use. EPA has had limited accomplishments to date related to the\n            Agency\xe2\x80\x99s logical access systems. EPA employees are not using smartcards to\n            access information systems except for a limited number of employees who are\n            testing their use. As a result, although logical access was originally within the\n            scope of our review, we did not review logical access and developed no findings\n            relating to that area.\n\nPrior Audit Reports\n            Prior reports by the EPA Office of Inspector General (OIG), DHS OIG,\n            GSA OIG, and U.S. Government Accountability Office (GAO) have highlighted\n            various issues associated with implementing HSPD-12, including the complexity\n            and the importance of sound planning across government. Appendix B provides\n            details on the corrective actions EPA has taken to address prior audit report\n            findings.\n\n\n\n\n13-P-0200                                                                                   3\n\x0c                                   Chapter 2\n\n    EPA Did Not Upgrade Most Critical Facilities First\n\n            EPA upgraded some facilities that it classified as less critical prior to upgrading\n            all of its most important and critical facilities, including headquarters facilities.\n            On April 13, 2007, EPA issued Order 3200, EPA Personal Identity Verification\n            and Smartcard Program. That order and subsequent plans stated that EPA would\n            upgrade facilities in an order that would protect its most critical and valued assets\n            first, but EPA did not do so. EPA officials said it was more efficient logistically to\n            upgrade facilities based on geographic location rather than importance to EPA.\n            However, SMD could not provide any analysis demonstrating efficiency. The\n            SMD Director also said that EPA did not want to make mistakes upgrading its\n            headquarters buildings so it has been upgrading other buildings first. As a result,\n            some of EPA\xe2\x80\x99s most critical facilities do not require as stringent an identity\n            verification process for access as some of its least important facilities. As of\n            March 2012, EPA spent over $4.5 million to upgrade facilities it determined to be\n            less critical to the Agency while it still has not upgraded all of its most critical\n            facilities.\n\nImplementation Plans Not Followed\n            Policy and plans indicate that EPA would upgrade its most critical assets before\n            upgrading lower value assets (facilities). EPA designates the security level of its\n            facilities numerically on a scale from 4 down to 1, based on a federal security\n            standard. Level 4 facilities are EPA\xe2\x80\x99s most critical assets while Level 1 facilities\n            would be least critical. According to the federal standard used for determining the\n            security level of a facility, agencies should consider the following five factors when\n            deciding the level assigned to a facility: (1) mission criticality, (2) symbolism,\n            (3) facility population, (4) facility size, and (5) threat to tenant agencies.\n\n            EPA\xe2\x80\x99s Policy and Plans\n\n            EPA issued Order 3200 to establish the Agency\xe2\x80\x99s policy for providing a roadmap\n            to implement EPA\xe2\x80\x99s smartcard program. The order states, \xe2\x80\x9cSystems located in\n            facilities identified as Agency critical infrastructure assets will be replaced first,\n            followed by Security Level 4 facilities, Security Level 3 facilities, and Security\n            Level 2 facilities\xe2\x80\xa6Those EPA facilities designated at Security Level 1 will\n            maintain existing physical access security counter measures.\xe2\x80\x9d\n\n            EPA issued subsequent plans dealing with PACS upgrades. In 2008, EPA\n            provided OEI\xe2\x80\x99s HSPD-12 Physical Access Controls and Logical Access Controls\n            Plan to OMB. In 2009, EPA issued its EPASS Project Management Plan. Both\n            plans laid out the priority in which EPA would upgrade PACS. They documented\n\n13-P-0200                                                                                        4\n\x0c            that EPA would upgrade new construction or leases first, followed by facilities\n            based on security level ratings. The 2008 plan stated, \xe2\x80\x9c\xe2\x80\xa6EPA will mitigate its\n            highest risks first thus protecting our higher valued targets early on in the\n            implementation process.\xe2\x80\x9d The plan also stated that EPA would complete\n            upgrading all of its Security Level 4 facilities by December 2011. Similar to EPA\n            Order 3200, the 2008 plan also stated that existing Security Level 1 facilities\n            would not be upgraded.\n\n            Inter-Agency Security Committee Standards\n\n            According to the Interagency Security Committee (ISC) Standard: Facility\n            Security Level Determinations for Federal Facilities, Level 5 facilities are unique\n            facilities with a high level of importance that merit the highest degree of\n            protection. Level 4 facilities are also of high importance and require the next\n            highest degree of protection, and so forth down to Level 1 facilities. EPA has\n            classified all of the buildings housing EPA\xe2\x80\x99s 10 main regional offices as well as\n            its headquarters facilities as Level 4.\n\nEPA Upgraded 29 of Its Less Important Facilities Before Upgrading Its\nMost Critical Assets\n            EPA\xe2\x80\x99s SMD did not follow EPA Order 3200 or the last plan it submitted to OMB\n            in 2008 for upgrading Agency facilities. Although EPA\xe2\x80\x99s stated policy was to\n            upgrade its most critical assets first, as of the beginning of 2012 EPA had yet to\n            start upgrades on six Level 4 facilities while it had completed or already started\n            upgrades on 29 lower-level facilities. EPA also upgraded four Level 1 facilities\n            and plans to upgrade another one even though its policies and plans stated that\n            existing Level 1 facilities would not be upgraded. These lower-level facilities\n            have less urgent security needs than the higher-level facilities. For example, one\n            of the Level 1 facilities upgraded is used to store vehicles. No EPA employees\n            work within that facility on a permanent basis. Conversely, EPA has not upgraded\n            some of its headquarters buildings that are classified as Level 4, where up to\n            hundreds and even thousands of EPA employees work on a full-time basis.\n\n            SMD plans to upgrade 65 facilities out of 156 EPA facilities by the end of\n            September 2015. It plans to upgrade all Level 4 and Level 3 facilities, and some\n            Level 2 and Level 1 facilities. By the end of 2011, EPA had completed or started\n            upgrades to 39 facilities\xe2\x80\x944 at Level 1, 14 at Level 2, 11 at Level 3, and 10 at\n            Level 4. EPA needs to complete upgrades for the following six Level 4 facilities\n\n               \xef\x82\xb7   Region 9 Main Building\n               \xef\x82\xb7   EPA East and EPA West in Headquarters\n               \xef\x82\xb7   Region 10 Main Building\n               \xef\x82\xb7   Region 7 Main Building\n               \xef\x82\xb7   Ariel Rios North and South Federal Building in Headquarters\n               \xef\x82\xb7   Ronald Reagan Building in Headquarters\n\n13-P-0200                                                                                      5\n\x0c            Details on upgrade actions EPA has taken since 2006 and plans to take are in\n            table 1.\n\n            Table 1: Number of EPA facilities to be upgraded by security level\n                                                         Security levels\n                     Year started                  4        3       2           1          Total\n                        2006                       1       0        0           0            1\n                        2007                       2       2        2           0            6\n                        2008                       1       4        1           1            7\n                        2009                       0       0        1           0            1\n                        2010                       4       2        5           2           13\n                        2011                       2       3        5           1           11\n                        2012*                      3       1        2           0            6\n                        2013*                      3       5        4           0           12\n                        2014*                      0       0        7           1            8\n             Total to be upgraded                 16      17       27           5           65\n             Total number of facilities           16      17       82          38        **156\n            Source: OIG analysis of data provided by SMD.\n              * Projected by EPA. \n\n              ** EPA has not assessed the security level for 3 of its 156 facilities.\n\n\n\nImportance of Facilities Not a Priority for Initiating Upgrades\n            A facility\xe2\x80\x99s security level did not appear to be SMD\xe2\x80\x99s top consideration for when\n            it should upgrade a facility. The SMD Director told us she believed it was more\n            efficient and logistically made more sense to upgrade facilities based on\n            geographic location. She said that SMD preferred to award one contract for each\n            location or region and have all facilities in that area upgraded simultaneously. In\n            other words, to install independent PACS across five facilities would require two\n            servers (primary and backup) per location, totaling 10 servers across the five\n            locations, and 5 vendor application licenses. In comparison, covering the five\n            locations with a single enterprise implementation requires only two servers and\n            one vendor application license. We requested that SMD provide data or\n            documented justification showing that it was more efficient to upgrade based on\n            location. According to the SMD Director, they did not have such data because the\n            increased efficiency was obvious. However, without cost analysis, EPA cannot\n            demonstrate that its approach was more efficient. Further, when we asked the\n            Director why EPA\xe2\x80\x99s headquarters buildings were not upgraded first, the Director\n            said that they did not want to make mistakes at headquarters and were therefore\n            upgrading other buildings first and leaving the upgrades of headquarters buildings\n            toward the end of the project. Although the Director said that efficiency was the\n            primary reason EPA upgraded facilities in the order it did, criteria that EPA\n            technical evaluation panel members used to review vendor proposals clearly\n            stated that panel members should consider price/cost as the least important factor\n            when evaluating which vendor should get a contract.\n\n13-P-0200                                                                                          6\n\x0c            We also found two cases that further indicated that facility security levels were\n            not the driving factor in the timing of upgrades. In one case, EPA upgraded the\n            PACS system at a facility in Alabama that was 3 years overdue for a security\n            level assessment. The facility was a Security Level 3 facility, so EPA should have\n            re-assessed its Security Level every 3 years. According to SMD, EPA last\n            assessed the facility in 2005. Therefore, EPA should have assessed the facility\n            again in 2008 but it did not. EPA upgraded that facility while it had not upgraded\n            many Level 4s. In another case, EPA upgraded a facility in Puerto Rico at the end\n            of 2011 even though SMD did not complete the facility level assessment until\n            January 2012.\n\n            We asked the SMD Director if she had considered other contracting approaches to\n            upgrading facilities that emphasized security level first rather than all facilities in\n            a given geographic area at the same time. She said that she had not thought of that\n            and would have to consult with OAM to determine whether EPA could have used\n            other contracting options. We discussed this issue with the OAM contracting\n            officer for some PACS contracts and she told us that awarding contracts in order\n            of facility security level could have been an effective alternative without resulting\n            in greater cost. She said that SMD could have awarded national contracts at the\n            beginning of this program to focus first on upgrading all Level 4s. She said that\n            after SMD upgraded those facilities, additional national contracts could have been\n            awarded to upgrade the Level 3s and so on, thereby addressing the most critical\n            assets in a prioritized order.\n\nConclusions\n\n            Eight years after President Bush signed HSPD-12, EPA has not upgraded all of its\n            most critical facilities. As a result, some facilities\xe2\x80\x94housing hundreds or even\n            thousands of employees along with other important assets\xe2\x80\x94did not require the\n            higher level of authentication to gain access as some of its facilities of lesser value\n            and importance. As of March 2012, EPA had spent over $4.5 million to upgrade\n            facilities assessed below Level 4 before it upgraded all Level 4 facilities. EPA has\n            spent 69 percent more to upgrade Level 2 facilities ($2.8 million) as it has on\n            Level 3 facilities ($1.66 million), even though Level 2 facilities are less critical\n            than Level 3. As EPA stated in its formal plans, it planned to upgrade facilities\n            with the highest security level classification before upgrading lower level\n            facilities to improve security to its most critical assets first. However, EPA\n            decided to deviate from the plan it submitted to OMB and instead upgraded\n            facilities based on location. EPA should ensure it upgrades facilities based on the\n            criticality of the facility rather than geographic location.\n\n\n\n\n13-P-0200                                                                                        7\n\x0cRecommendation\n            We recommend that the Assistant Administrator for Administration and\n            Resources Management:\n\n               1.\t Re-prioritize the remaining facility upgrades by security level from\n                   highest to lowest, complete all remaining upgrades according to security\n                   level, and require the SMD Director to provide written justification for\n                   upgrading Level 1 facilities.\n\nAgency Comments and OIG Evaluation\n            EPA did not concur with recommendation 1 and proposed an alternative\n            recommendation. We continue to believe that EPA should have placed more effort\n            into upgrading the Level 4 facilities earlier in this PACS upgrade project. The plan\n            EPA shared in its response for upgrading its remaining facilities addresses this by\n            planning to complete upgrades to facilities with higher security levels before\n            completing those with a lower security level. Therefore, we agree with EPA\xe2\x80\x99s\n            proposal to continue with its current sequencing of facility upgrades.\n\n            Regarding Level 1 facilities, we agree with EPA\xe2\x80\x99s proposal that the SMD Director\n            will provide written justification to the Assistant Administrator for OARM and\n            obtain approval in advance of any work. As a result, we consider recommendation\n            1 resolved with corrective action pending.\n\n            For EPA\xe2\x80\x99s detailed comments on this chapter and additional OIG responses, see\n            appendix D.\n\n\n\n\n13-P-0200                                                                                     8\n\x0c                                    Chapter 3\n\n            EPA\xe2\x80\x99s Physical Access Control Systems \n\n              Not Inter-Operable or Intra-Operable\n\xc2\xa0\n            EPA has upgraded more than half of the 65 facilities\xe2\x80\x99 PACS it plans to upgrade,\n            but the processes used to gain access vary considerably and the systems are not\n            yet inter-operable or intra-operable in practice. For purposes of this report, intra-\n            operability means that EPA employees can easily gain access to any EPA facility\n            when they have an authorized business reason to do so, while inter-operability\n            goes beyond EPA and applies to any federal employee that has a need for access.\n            HSPD-12 and OMB\xe2\x80\x99s M-05-24 both stress the importance of eliminating\n            inconsistency in physical access systems. EPA\xe2\x80\x99s varied and inconsistent\n            approaches have resulted from a lack of developed, national physical access\n            procedures to foster consistency or inter-operability. As a result, EPA is not\n            realizing the potential benefits of a standardized process, and employee access to\n            EPA buildings continues to be inconsistent depending on an employee\xe2\x80\x99s\n            geographic location.\n\nPhysical Access Control Systems Should Be Inter-Operable\n            HSPD-12 stresses the importance of eliminating inconsistency in physical access\n            systems, and states, \xe2\x80\x9cWide variations in the quality and security of forms of\n            identification used to gain access to secure Federal and other facilities where there\n            is potential for terrorist attacks need to be eliminated.\xe2\x80\x9d OMB M-05-24 states,\n            \xe2\x80\x9cInconsistent agency approaches to facility security and computer security are\n            inefficient and costly, and increase risk to the Federal government.\xe2\x80\x9d OMB issued\n            OMB M-11-11 in February 2011 incorporating DHS requirements that outlined a\n            plan for federal agencies to use for upgrading identity verification systems. The\n            DHS memo highlights the importance of using a consistent process for access. It\n            states, \xe2\x80\x9cSpecific benefits of the standardized credentials required by HSPD-12\n            include secure access to federal facilities.\xe2\x80\xa6 Additionally, standardization leads to\n            reduced overall costs and better ability to leverage the Federal Government\xe2\x80\x99s\n            buying power with industry.\xe2\x80\x9d This memo also states that \xe2\x80\x9cAgency processes must\n            accept and electronically verify PIV [personal identity verification] credentials\n            [smartcards] issued by other federal agencies.\xe2\x80\x9d\n\n            FIPS 201-1 laid out the requirements for a common identification process. It\n            addresses factors such as the ability to rapidly authenticate smartcards and to be\n            inter-operable from one federal facility to another. FIPS 201-1 defines inter-\n            operability as follows: \xe2\x80\x9cFor the purposes of this standard, interoperability allows\n            any government facility or information system, regardless of the PIV Issuer, to\n            verify a cardholder\xe2\x80\x99s identity using the credentials on the PIV Card.\xe2\x80\x9d\n\n\n\n13-P-0200                                                                                           9\n\x0c            OARM issued Standard Operating Procedures for EPA Personnel Access and\n            Security System (EPASS) Badge Post-Issuance Management, dated June 23, 2011.\n            While the procedures specify that EPA will have one process nationwide for\n            issuing smartcards, it does not foster consistency in EPA\xe2\x80\x99s physical access\n            process. Specifically, the procedures state that each location is individually\n            responsible for figuring out how to allow employees to use the smartcards to gain\n            access to EPA facilities. The EPASS standard operating procedure states:\n\n                   The scope of this SOP is to provide EPA personnel serving as an\n                   Issuer [of the smartcards] the same process and procedures across\n                   the entire EPA. It does not apply to integration of the EPASS card\n                   into EPA Physical Access Control Systems (PACS) or procedures\n                   for issuance of an initial card. Each site should develop their own\n                   PACS SOP to fulfill that requirement.\n\nEPA Uses Various Processes for Physical Access Control\n            EPA is not using PACS in a consistent manner. EPA has used different processes,\n            including the use of key pads and temporary cards, to gain access to EPA\n            facilities. In addition, EPA\xe2\x80\x99s Criminal Investigation Division (CID) initially stated\n            that it was not going to upgrade its facilities because it did not agree with the\n            direction of the smartcard program, and SMD allowed that decision when it\n            should not have.\n\n            Inconsistent Use of Card Reader Key Pads\n\n            EPA\xe2\x80\x99s use of key pads for physical access is inconsistent. Of the locations where\n            PACS upgrades are complete, some use a card reader and key pad for access\n            while others that have key pads do not use them. Regional security staff generally\n            had rationale for using card readers with or without pin pads, but the reasoning\n            was not consistent from one region to the next. In Region 6, the main building in\n            Dallas, Texas, is a privately owned building, and because anyone from the general\n            public can access the building, EPA Region 6 employees must enter a 6-digit\n            personal identification number (PIN) in addition to scanning their smartcard.\n            Further, we found that top-level managers in Region 6 intentionally never\n            activated the card reader that controlled access between the Regional\n            Administrator\xe2\x80\x99s office and the region\xe2\x80\x99s external affairs and legal offices, so staff\n            who frequently go back and forth between those offices would not have to use\n            their smartcards.\n\n            EPA also installed card readers with key pads throughout the areas it occupies in\n            the Region 1 main building in Boston that several other federal agencies also\n            occupy. However, employees only scan their cards for access; no PIN is required.\n            Region 1 security staff informed us the key pads were in place in case additional\n            security was necessary but there are no present plans to activate the key pads.\n\n\n\n13-P-0200                                                                                     10\n\x0c            The more levels that an agency requires for access, the greater level of security\n            provided. There are three basic levels of authentication an agency could use for\n            access purposes \xe2\x80\x93 an agency could require an employee to use: (1) something they\n            have in their possession (like swiping a smartcard across a reader); (2) something\n            they know (like entering a PIN into the card reader in addition to just using the\n            smartcard); and (3) something they are (like a biometric, such as a fingerprint or\n            retinal scan, which is a feature unique to each person). If a facility or region\n            required only the badge to be swiped across a card reader, an unauthorized person\n            could use a lost or stolen card for access until it is deactivated.\n\n            In some regions, like Region 6, EPA requires employees to use something they\n            have (card) and something they know (PIN). In other regions, EPA employees\n            only use something they have (card) and do not have PINs assigned to them. In\n            EPA headquarters buildings, employees have only used something they have\n            (either their local EPA proximity card or smartcard) to present to security guards\n            for access to those buildings. However, PACS readers have yet to be installed in\n            all headquarters buildings.\n\n            Inconsistencies in Access by EPA Employees from Other Regions\n\n            The process EPA uses to grant access to visiting EPA employees also varies from\n            one region to the next. For example, Region 6 requires a temporary visitor card\n            and 8-digit PIN from EPA visitors from other regions to gain access. Region 8, on\n            the other hand, uses a more traditional visitor check-in\n            process. In Region 8, a visiting EPA employee checks in\n            at a reception area at the main entrance and regional staff\n            issue the person a visitor pass. Additionally, the visitor\n            must rely on an EPA employee who resides in the\n            building for access.\n\n            Because PACS should be intra-operable, we asked\n            Region 6 if it could program a visiting OIG employee\xe2\x80\x99s\n            actual smartcard to allow them access in the region.\n            While the Region 6 PACS coordinator informed us she           A temporary Region 6\n                                                                          visitor card. (EPA OIG\n            could program the card to allow for access, she also          photo)\n            warned that it could cause problems in the PACS identity\n            verification system. She explained that because locations operate differently,\n            changing the employee\xe2\x80\x99s information to allow access to Region 6 could adversely\n            affect access when the employee returned to their home region. The 8-digit PIN\n            that Region 6 requires for visiting EPA employees is a primary reason it uses the\n            temporary card. EPA employees visiting Region 6 may use a different number of\n            digits in their home region. If Region 6 were to provide access through that\n            employee\xe2\x80\x99s smartcard, it would hinder their ability to access their home office.\n\n            We also asked Region 8 if it could program a visiting OIG employee\xe2\x80\x99s smartcard\n            for use within that region. The Region 8 PACS coordinator said they were not\n\n\n13-P-0200                                                                                     11\n\x0c            informed that they are required to do so and therefore would not, as it could cause\n            problems within the PACS electronic identity verification system.\n\n            CID Not Required to Use Smartcard Readers\n\n            EPA\xe2\x80\x99s SMD also did not require one EPA office, CID, to use smartcard readers\n            and additionally allowed them to forgo the PACS upgrade. CID did not seem to\n            understand that it could maintain its unique security needs when upgrading its\n            PACS. We found that CID\xe2\x80\x99s office in Dallas should have had a smartcard reader\n            on one of its doors that the public could access. Once we brought this to the\n            attention of SMD and CID, and after talking to CID\xe2\x80\x99s National Acting Director,\n            CID started planning upgrades for more of its offices. CID will pilot the\n            installation of smartcard readers in its offices in Regions 6, 7, and 9. If the pilot is\n            successful, CID plans to install readers in offices in Regions 1, 2, 4, 5, and 10. In\n            Dallas, EPA had already upgraded the main Region 6 building (a Level 4 facility)\n            with card readers in 2011. Because CID\xe2\x80\x99s office space in Dallas was not upgraded\n            at the same time as the Region 6 main building, EPA planned to spend an\n            additional $17,927 to install the necessary equipment to CID\xe2\x80\x99s space. The SMD\n            PACS project manager told us the CID space in Dallas would be upgraded by the\n            end of February 2012. The additional card readers, including CID\xe2\x80\x99s main door\n            that is accessible to the general public, were installed and operational in\n            September 2012.\n\nEPA Does Not Have National Procedures for Physical Access\n            According to its own plans, EPA knew it would take until September 2015 to\n            complete its smartcard program\xe2\x80\x94nearly 10 years. However, EPA has not\n            developed national physical access procedures to foster consistency or intra-\n            operability. EPA has already upgraded or begun to upgrade almost 70 percent of\n            the facilities it plans to upgrade (45 of 65 facilities). We also determined that\n            there was a lack of direct coordination between SMD and some regions. We\n            interviewed PACS coordinators associated with each of the EPA facilities that\n            had completed PACS upgrades, and some informed us that SMD did not\n            communicate or provide guidance.\n\n            The SMD Director told us that an EPA workgroup has discussed issues related to\n            the smartcard program across the country. According to the Director, the\n            workgroup is made up of representatives from various programs and locations and\n            is designed to resolve issues and determine necessary Agency-wide standards. In\n            September 2012, the Director said that EPA would have national procedures in\n            place by December 31, 2012.\n\n            Another reason the PACS upgrade process has been inconsistent is that SMD did\n            not follow the plan submitted to OMB for carrying out the smartcard program.\n            According to the SMD Director, the last time SMD submitted a formal PACS\n            upgrade plan to OMB was in 2008. As discussed in chapter 2, EPA did not follow\n\n\n13-P-0200                                                                                        12\n\x0c            the process it laid out in that 2008 plan. If EPA\xe2\x80\x99s plans and approach have\n            changed, it should formally notify OMB of those changes so OMB can hold EPA\n            accountable.\n\nEPA Needs to Designate a Single Office to Administer Its Smartcard\nProgram\n            At present, EPA does not have a clearly identified office in charge of its smartcard\n            program. Program accountability is dispersed among offices and management. The\n            Federal Identity, Credential, Access Management (FICAM) Roadmap and\n            Implementation Guidance\xe2\x80\x94issued in December 2011 by the Federal Chief\n            Information Officers Council\xe2\x80\x94lays out guidance for federal agencies to, among\n            other things, increase security and improve inter-operability with the use of\n            smartcards. In February 2011, OMB issued memorandum M-11-11 requiring\n            agencies to follow the FICAM guidance. In M-11-11, OMB, through an attached\n            memorandum from DHS, asked each agency to \xe2\x80\x9c\xe2\x80\xa6designate an agency lead\n            official\xe2\x80\xa6\xe2\x80\x9d for implementing HSPD-12. While OMB asked agencies to designate\n            one person, EPA designated two people as lead officials. EPA identified OARM\xe2\x80\x99s\n            Director of the Office of Administration as well as EPA\xe2\x80\x99s Senior Agency\n            Information Security Officer (within OEI) as lead officials for HSPD-12\n            implementation. SMD and OEI managers told us that they believe that EPA was\n            the only agency that provided more than one point of contact to OMB.\n\n            According to the FICAM guidance, each agency should have a formal governance\n            structure that creates and assigns a specific group to (a) provide oversight and\n            management; and (b) develop and enforce agency-specific policies, processes,\n            and performance measures. Oversight of the program could come from an\n            executive steering committee and, if so (per the guidance), the committee should\n            have a charter that establishes the group\xe2\x80\x99s authority to enforce changes to align\n            the program with the agency\xe2\x80\x99s overall mission.\n\n            SMD and OEI managers told us that the Assistant Administrators for OARM and\n            OEI have been discussing with EPA\xe2\x80\x99s Chief Financial Officer over the last year\n            the idea of creating one office to oversee the Agency\xe2\x80\x99s smartcard program. In\n            response to our draft audit report, EPA told us it plans to decide which entity will\n            implement and oversee its smartcard program by June 30, 2013.\n\nEPA Not Maximizing Efficiency and Security Within PACS\n            Because EPA has not established consistent national physical access procedures,\n            regions have established different methods to gain access. With multiple\n            processes to manage, EPA is not realizing the potential benefits of a standardized\n            process such as lower equipment and maintenance costs and an overall greater\n            understanding of how the process works. Furthermore, EPA cannot assure it is\n            using the best approach nationally. If one physical access process is more\n            effective than others, EPA should use that process nationwide. However, since\n\n13-P-0200                                                                                     13\n\x0c            there is a lack of coordination among the different locations, good ideas used by\n            one region may not be benefitting other regions.\n\nConclusions\n\n            We recognize that EPA operates under a culture where regions often establish\n            their own processes for various programs. However, the inconsistency with which\n            EPA has upgraded PACS is impeding EPA\xe2\x80\x99s ability to have intra-operable\n            systems for EPA employees, much less inter-operability with other agencies. EPA\n            should follow a national process for physical access to its facilities. Inter-\n            operability is a primary goal associated with HSPD-12. Because the locations\n            where EPA completed PACS upgrades are not intra-operable, EPA might have to\n            spend additional funds to achieve national consistency. EPA has already spent\n            over $12.8 million upgrading PACS. EPA should specify a consistent process for\n            all regions to ensure that physical access systems can be inter-operable. EPA\n            should also increase accountability over its smartcard program by clearly\n            identifying one senior executive responsible for implementation and oversight.\n            Stronger leadership over the program should help address the issues related to\n            inconsistency that we have identified.\n\nRecommendations\n\n            We recommend that the Assistant Administrator for Administration and\n            Resources Management:\n\n            2.\t Develop national policies and procedures for PACS that foster consistent\n                physical access to EPA offices around the country.\n\n            We recommend that the Deputy Administrator:\n\n            3.\t Establish one entity responsible for implementing and overseeing the\n                Agency\xe2\x80\x99s smartcard program, including physical and logical access.\n\nAgency Comments and OIG Evaluation\n            EPA did not concur with recommendation 2 in our draft report. EPA stated it\n            disagreed with the word \xe2\x80\x9cinter-operable\xe2\x80\x9d in the recommendation because the\n            EPASS badge is inherently intra-operable across the Agency and inter-operable\n            with other federal agencies. EPA emphasized that the smartcard and PACS\n            programs fully support inter- and intra-operability in compliance with all\n            requirements and standards. As a result, EPA requested that the OIG remove the\n            words \xe2\x80\x9cand inter-operable\xe2\x80\x9d from recommendation 2.\n\n            EPA stated that it agreed with the OIG that fostering consistent facility access\n            procedures is important, with the understanding that procedures should be\n            responsive to local security conditions and the range of real estate arrangements at\n\n13-P-0200                                                                                       14\n\x0c            EPA facilities. EPA stated that what has been lacking is a clear understanding by\n            all offices of the capabilities of the smartcards and PACS, as well as an Agency-\n            wide policy on using smartcards for facility access. Therefore, EPA proposed in\n            its response to do the following two things by no later than March 31, 2013:\n            (1) disseminate information to regional personnel on existing capabilities of the\n            smartcards and PACS, and (2) submit an EPA-wide policy titled Use of the PIV\n            Card for Facility Access through the Agency\xe2\x80\x99s directives clearance process. The\n            purpose of the policy is to provide consistent application of physical access\n            controls; describe requirements for granting access to PIV-enabled EPA-\n            controlled buildings and spaces; and define the roles and responsibilities of all\n            parties involved in granting access to EPA facilities.\n\n            We removed the word \xe2\x80\x9cinter-operable\xe2\x80\x9d from the recommendation 2 language.\n            We believe that EPA\xe2\x80\x99s planned efforts to educate regional personnel on the\n            capabilities of the smartcards as well as to develop an Agency-wide policy to\n            foster consistent access procedures are adequate corrective actions. We fully\n            understand EPA\xe2\x80\x99s position that the EPASS badges are designed to be intra- and\n            inter-operable, as the smartcards comply with FIPS 201 requirements. The issue\n            that we presented in this chapter does not focus on any identified deficiencies\n            with the smartcard (badge) itself but rather on how EPA has allowed the\n            smartcards to be used for access in different ways across the country. EPA\xe2\x80\x99s\n            planned corrective actions, particularly to issue a national policy on access\n            procedures, should resolve the issues we identified during our audit. As a result,\n            we consider recommendation 2 resolved with corrective action pending.\n\n            EPA concurred with recommendation 3. Under the Deputy Administrator\xe2\x80\x99s\n            direction, EPA plans to determine the entity responsible for implementing and\n            overseeing EPA\xe2\x80\x99s smartcard program by no later than June 30, 2013. We are\n            pleased that discussions occurred over the last year between the Assistant\n            Administrators for OARM and OEI and the Chief Financial Officer to consider\n            creating one office to oversee the Agency\xe2\x80\x99s smartcard program. We consider\n            recommendation 3 resolved with corrective action pending.\n\n            For EPA\xe2\x80\x99s detailed comments on this chapter and additional OIG responses, see\n            appendix D.\n\n\n\n\n13-P-0200                                                                                        15\n\x0c                                   Chapter 4\n\n   EPA Acquired and Deployed Smartcard Technology \n\n       Without Assuring Costs Were Reasonable\n\xc2\xa0\n            EPA has not maintained sufficient documentation to make sound cost-related\n            decisions for upgrading PACS. We found numerous independent government cost\n            estimates (IGCEs) that were not prepared appropriately. For example:\n\n               \xef\x82\xb7   There was no evidence that some IGCEs were final.\n               \xef\x82\xb7   A cost estimator who was not employed at EPA was the only name on\n                   several IGCEs.\n               \xef\x82\xb7   At least one IGCE was prepared to match the winning contractor\xe2\x80\x99s\n                   proposed offer.\n               \xef\x82\xb7   For three PACS contracts, no IGCEs were prepared.\n\n            In addition, contracting officers did not certify that EPA bought only approved\n            products and services that complied with HSPD-12 requirements. SMD did not\n            have a process in place to analyze actual costs from completed upgrades for future\n            cost estimating purposes due to issues within the program and contract\n            management offices. SMD staff said they were not familiar with EPA OAM\xe2\x80\x99s\n            IGCE Manual and GAO\xe2\x80\x99s cost estimating guide. OAM\xe2\x80\x99s contracting officers did\n            not always ensure files contained necessary documentation of price\n            reasonableness. EPA plans to spend an additional $10.6 million to upgrade PACS,\n            and a lack of assurance that costs are fair and reasonable will remain if EPA\n            continues to award contracts without conducting sound cost analysis.\n\nCost Data and Documentation Requirements\n            OAM is responsible for the policies, procedures, operations and support of EPA\xe2\x80\x99s\n            procurement and contracts management program, from contract planning through\n            closeout. In June 2010, OAM issued its most recent update to its EPA Guide for\n            Preparing Independent Government Cost Estimates. This guidance states that\n            IGCEs are an integral tool for effective acquisition programs in both government\n            and private industry.\n\n            OAM's Manual for Preparing IGCEs\n\n            GAO\xe2\x80\x99s Cost Estimating and Assessment Guide (GAO-09-3SP) as well as OAM\xe2\x80\x99s\n            IGCE Manual (June 2010 Revision) state that:\n\n                   \xe2\x80\xa6 programs should be monitored continuously for cost control by\n                   comparing planned and actual performance against the approved\n                   program baseline [IGCE]\xe2\x80\xa6 cost or schedule variances resulting\n\n\n13-P-0200                                                                                  16\n\x0c                   from incorrect assumptions should always be thoroughly\n                   documented so as not to repeat history, and all historical data should\n                   be archived in a database for use in supporting future estimates.\n\n            OAM\xe2\x80\x99s manual states an IGCE is a detailed estimate of the cost to the\n            government to acquire services and/or supplies, typically from contractors. It also\n            defines estimates as a projection or forecast of the economic or financial value of\n            goods or services to be delivered in the future. IGCE users should be able to trace\n            the data, calculations, modeling assumptions, and rationale back to the source\n            document for verification and validation. In addition, it recommends that IGCEs\n            contain the name and signature of the document preparer. A successful acquisition\n            process requires collaboration between the program and procurement offices.\n            When a program office prepares a meaningful IGCE, the contracting officer can\n            use that document to facilitate the determination of fair and reasonable pricing in\n            the procurement process.\n\n            OAM Contracts Management Manual\n\n            OAM\xe2\x80\x99s Contracts Management Manual states that project officers shall submit\n            IGCEs for all contract actions, with a potential value in excess of $150,000\n            (the Federal Acquisition Regulation [FAR] threshold) for simplified acquisitions.\n            In addition, it states, that IGCEs \xe2\x80\x9care an integral part of any effective acquisition\n            program.\xe2\x80\x9d Section 7.3 of the manual specifies that the contracting officer will\n            perform the necessary analysis leading to a decision to lease or purchase\n            equipment considering comparative costs and other factors. It also states that the\n            project officer and contracting officer share responsibility for making sure the\n            procurement initiation package is complete. This package is required for all\n            procurements above the FAR threshold.\n\n            FAR Requirements for Contract Documentation\n\n            FAR Part 4.801(b) states that the documentation in files shall be sufficient to\n            constitute a complete history of the transaction. FAR Part 4.803(a) provides\n            examples of records normally contained, if applicable, in contract files. These\n            documents should include, but are not limited to, justifications and approvals,\n            determinations, findings and associated documents, government estimate of\n            contract price; a copy of each offer or quotation; source selection documentation;\n            and cost or price analysis. FAR Part 4.803 also requires that federal agencies\n            maintain documentation to evidence the contracting officer\xe2\x80\x99s determination of a\n            fair and reasonable price. FAR 4.1302 states that agencies must purchase only\n            approved personal identity verification products and services. When acquiring\n            personal identity verification products and services not using GSA Federal Supply\n            Schedule 70, agencies must ensure and certify that the applicable products and\n            services are approved as compliant with FIPS 201.\n\n\n\n\n13-P-0200                                                                                      17\n\x0cEPA Did Not Maintain Sufficient Documentation to Support PACS\nDecisions\n\n            We obtained IGCEs for most of the projects, although there were no IGCEs for\n            three. We also identified questionable IGCE preparation practices for PACS\n            upgrades. Contract files for some PACS upgrades were incomplete. SMD was\n            unable to provide us with evidence of detailed cost analysis for PACS projects.\n\n            Missing IGCEs\n\n            SMD was unable to locate IGCEs for the following three PACS upgrade projects:\n            Potomac Yard, Arlington, Virginia; Fort Meade, Maryland; and Montgomery,\n            Alabama. All of these projects exceeded the $150,000 FAR threshold, making it\n            mandatory that an IGCE be prepared, per OAM\xe2\x80\x99s Contracts Management\n            Manual. SMD paid contractors approximately $1.5 million for these three\n            upgrades but was unable to produce IGCEs documenting SMD\xe2\x80\x99s assessment of\n            what the cost should have been in each case. Specifically:\n\n               \xef\x82\xb7\t Potomac Yard project in 2006 (Contract GS07F0142L / EP06H001120):\n                  EPA was unable to locate much of the documentation associated with this\n                  contract, other than a copy of the order, dated February 16, 2006, and a\n                  copy of Amendment 1 also from February 2006 that was a $4,623\n                  de-obligation action to close out the file. Months after our original request,\n                  OAM was able to produce a copy of the Request for Quotes and\n                  correspondence related to bid evaluation. There was no IGCE for this\n                  project.\n\n               \xef\x82\xb7\t Fort Meade project started in 2008 (Contract GS-07F-7823C / EP-08H-\n                  000750 / EP-08H-001533 / EP-G11H-00126): The file contained no\n                  documentation of contractor performance or IGCE.\n\n               \xef\x82\xb7\t Montgomery, Alabama, project in 2008 (Contract GS-Q7F-7823C /\n                  EP-10H-001546): We found no IGCE in the file. SMD informed us it was\n                  unable to locate a copy of the IGCE for that contract.\n\n            Questionable IGCE Preparation Practices\n\n            We found that the contract file for the Region 1 main building upgrade in Boston\n            contained an IGCE prepared by SMD\xe2\x80\x99s IGCE contractor consultant for the exact\n            amount of the original procurement order for the primary PACS upgrade, or\n            $2,322,852.08. When we asked the consultant about this, he acknowledged that he\n            did not have support for the figures included in the IGCE and that he simply\n            followed instructions from a former SMD manager to prepare an IGCE for the\n            Boston project. The consultant told us that he \xe2\x80\x9cplugged\xe2\x80\x9d some numbers into\n            certain cost categories on the IGCE template to make the total equal the contract\n            award amount. He told us that he would not have done this on his own; someone\n\n13-P-0200                                                                                     18\n\x0c            at EPA instructed him to do it that way. In that instance, the IGCE that EPA\n            prepared was essentially meaningless as it was simply prepared to match the\n            award amount.\n\n            We found several IGCEs that were not signed or dated and did not show evidence\n            of EPA approval. Of 15 contracts we reviewed, 3 contained an IGCE prepared by\n            the consultant. Through the end of 2011, documentation that we were provided\n            showed that the consultant\xe2\x80\x99s estimates were considered by SMD to be the final\n            IGCE. We found that those IGCEs prepared by SMD\xe2\x80\x99s consultant had the\n            consultant\xe2\x80\x99s name at the top but neither SMD nor OAM personnel signed the\n            estimates. The later IGCEs that the SMD contracting officer\xe2\x80\x99s representative\n            prepared were not dated or signed by SMD or OAM staff. According to the\n            contracting officer\xe2\x80\x99s representative, he now includes his estimates in the\n            procurement initiation notice package. However, he did not sign them or have other\n            evidence demonstrating that the IGCE was considered final and approved. SMD\n            staff acknowledged that the consultant\xe2\x80\x99s estimate should not constitute the final\n            estimate.\n\n            Contract Files for PACS Projects Incomplete\n\n            Contracts awarded between 2006 and 2010 were very poorly documented. In\n            general, files did not contain evidence of contractor oversight, such as invoices,\n            work progress reports, or certification of work completion. While both OEI and\n            SMD acquired products and services from contractors that were not on GSA\xe2\x80\x99s\n            Qualified HSPD-12 Service Providers list, OAM did not always certify that all\n            products procured were approved and complied with all federal requirements.\n            OAM managers and staff said Statements of Work that they develop require\n            vendors to propose only approved products. In one case, SMD had scramble pad\n            readers installed at Region 6\xe2\x80\x99s Addison, Texas, Continuity of Operations facility\n            in 2009. According to SMD personnel, those card readers were not on GSA\xe2\x80\x99s\n            approved products list in 2009 and EPA should not have installed them. The\n            PACS readers installed at that facility cost more than $497,000, and do not\n            comply with Section 508 of the Americans with Disabilities Act. Region 6 asserts\n            that it never wanted them but SMD gave them no choice. Region 6 facilities\n            personnel told us that they are requesting that SMD replace them to match the\n            card readers in Region 6\xe2\x80\x99s main building.\n\n            SMD Did Not Analyze PACS Costs\n\n            SMD did not have a process in place to analyze actual costs from completed\n            upgrades for future cost estimating purposes. In one case (Boston), SMD could\n            not provide the actual cost of the PACS component of the installation contract.\n            That contract included other security items such as closed circuit television. SMD\n            said that the contractor quotes did not separate the price of the different\n            components. As a result, this cost information was not available as a basis for\n            comparison to evaluate subsequent procurements, as required by the criteria\n\n\n13-P-0200                                                                                   19\n\x0c            documents cited above. EPA awarded other contracts that also contained costs for\n            security features in addition to PACS. In some cases, regional EPA contacts\n            provided information to clarify PACS costs, but SMD was not able to provide us\n            with the appropriate documentation. SMD\xe2\x80\x99s contracting officer representative\n            had, on his own initiative, attempted a comparison of contract costs in 2011 but\n            was unable to include the above-cited contracts in the comparison. The\n            contracting officer\xe2\x80\x99s representative acknowledged he is not required to perform\n            this kind of analysis as a part of his regular duties and his supervisor\xe2\x80\x94the PACS\n            Project Manager\xe2\x80\x94was unaware that he had attempted the analysis.\n\nProject and Contract Management Staff Did Not Assure Adequate\nData Were Maintained\n\n            Lack of cost data and incomplete contract files resulted from issues within both\n            the project management and contract management offices. When the PACS\n            upgrades started, staff and management turnover was an issue. Some employees\n            with responsibilities for the PACS contracts left, and neither SMD nor OAM\n            could locate some of the file documentation. In addition, OAM\xe2\x80\x99s contracting\n            officers did not always ensure that the files contained necessary documents for\n            some PACS contracts. SMD staff was not aware of the OAM IGCE Manual or the\n            GAO Cost Estimating and Assessment Guide. SMD officials acknowledged they\n            had not received training in this area. Further, SMD did not have a process in\n            place to conduct and document cost analysis after projects were completed (for\n            example, analyzing cost per reader/door, etc.) to gain assurance that future project\n            costs were reasonable based on experience.\n\n            In July 2012, GAO issued a report titled Information Technology Cost Estimation:\n            Agencies Need to Address Significant Weaknesses in Policies and Practices\n            (GAO-12-629). GAO reported that EPA information technology investments only\n            partially met requirements for complying with cost-estimating best practices, and\n            did not meet requirements for providing cost estimating training. EPA also did not\n            have a process to collect and store cost-related data. GAO concluded that until\n            weaknesses are addressed, it will be difficult for EPA to use cost estimates to\n            make informed decisions, formulate realistic budgets, or meaningfully measure\n            progress for information technology projects.\n\nConclusions\n\n            EPA needs accountability for procurement decisions relating to PACS. SMD and\n            OAM made procurement decisions without the benefit of required cost\n            information. Of the $12.8 million EPA spent on PACS projects, it did not have\n            the necessary documentation to show that the costs were fair and reasonable for\n            $3.8 million (30 percent). In addition, EPA needs to ensure that it properly\n            documents the cost analysis information in the future to ensure costs are\n            reasonable and fair. According to EPA estimates, EPA plans to spend another\n\n\n13-P-0200                                                                                    20\n\x0c            $10.6 million on PACs upgrades. EPA should conduct cost analysis on these\n            future upgrades to ensure fair and reasonable prices.\n\n            There was no evidence that collaboration between SMD and OAM occurred.\n            Furthermore, since the IGCEs were missing from some contract files, it appears\n            that OAM did not use them at all in some cases. In addition, during the course of\n            our review, SMD continually made revisions to the IGCEs that it had previously\n            given us or changed its analysis. As a result, we were not confident that the data\n            SMD was providing in the IGCEs was finalized or accurate.\n\nRecommendations\n            We recommend that the Assistant Administrator for Administration and\n            Resources Management:\n\n               4. \t Hold contracting officers accountable for maintaining complete files for\n                    PACS contracts, including documenting fair and reasonable price\n                    determinations, progress and completion of contracted work, and\n                    certifying that products for PACS procurements meet requirements in\n                    FAR Part 4.1302.\n\n               5. \t Enforce applicable guidelines pertaining to IGCEs, including:\n\n                       a.\t Preparing IGCEs for all procurement actions in excess of the FAR\n                           threshold.\n\n                       b.\t Adopting an official IGCE format that shall include the name and\n                           signature of the preparer, the date prepared, and the signature of\n                           the approving official.\n\n                       c.\t Establishing a process that SMD can use to conduct and document\n                           cost analyses of prior upgrades to ensure that future project costs\n                           are reasonable.\n\n                       d. \t Establishing a requirement that SMD staff involved with preparing\n                            and reviewing IGCEs certify that they have read OAM\xe2\x80\x99s IGCE\n                            Manual and understand the guidance.\n\nAgency Comments and OIG Evaluation\n\n            EPA concurred with recommendation 4, stating that audit findings in this chapter\n            are consistent with similar findings that OAM reviews have found related to\n            internal controls and oversight systems. EPA responded that to ensure file quality,\n            OAM conducts multiple types of contract file reviews. In these reviews, contract\n            file content is a significant review element. Findings from these reviews are\n\n\n13-P-0200                                                                                      21\n\x0c            provided to contracting officers for corrective action, if necessary, and used by\n            OAM to identify policy gaps and possible training topics for contracting staff.\n\n            EPA stated in its response to recommendation 4 that it already completed\n            corrective actions before the end of December 2012 that address our\n            recommendation. We requested that OAM send us information related to any such\n            actions. According to OAM, it has implemented a Balanced Scorecard\n            Performance Management and Measurement Program, which contains a self-\n            assessment and peer review and oversight component. A primary purpose of the\n            Peer Review and Self Assessment Checklist, dated August 2012, is to conduct file\n            reviews to assess the quality of the contracting process at EPA, including\n            thorough file reviews. We reviewed this document and believe that, if followed,\n            these reviews would address our recommendation, so we consider\n            recommendation 4 closed upon issuance of this report.\n\n            EPA partially concurred with recommendation 5. Specifically, it agreed with\n            recommendations 5a and 5b. For 5a, OAM stated that it agrees with the OIG that\n            the IGCE policy as currently written does not distinguish between types of IGCEs\n            or the level of detail required in IGCEs for different types of acquisitions. OAM\n            agreed to review its current policy and provide more details and specific guidance\n            pertaining to when an IGCE is required, at what threshold, and the level of detail\n            required, to ensure the clarity, consistency, and significance of IGCEs prepared.\n            OAM stated it would revise its policy by September 30, 2013. We agree with\n            EPA\xe2\x80\x99s proposed action and consider this recommendation resolved with\n            corrective action pending.\n\n            Regarding 5b, EPA responded that because each program in EPA is unique there\n            is no \xe2\x80\x9cone-size-fits-all\xe2\x80\x9d IGCE format nor should there be. OAM agreed with the\n            OIG that IGCEs should be thoughtfully prepared and reviewed. OAM is in the\n            process of implementing EPA\xe2\x80\x99s Paperless Acquisition Program. This is an\n            initiative that allows cost estimates to be included with electronically submitted\n            procurement packages. This includes information on who developed and\n            approved the procurement information. EPA plans to have the system\n            implemented by September 30, 2013. We agree that this new system will address\n            recommendation 5b and consider the recommendation resolved with corrective\n            action pending.\n\n            Regarding recommendation 5c, OAM stated that the responsibility for conducting\n            cost analysis resides with contracting officers, according to the FAR, and not with\n            program offices. OAM further stated that its oversight program covers ensuring\n            that cost analysis is performed. Regarding recommendation 5d, OAM said that\n            training on IGCEs is part of the training that contracting officer representatives\n            get before they are certified. As a result, OAM stated that it did not believe that a\n            separate IGCE certification for SMD staff was necessary.\n\n\n\n\n13-P-0200                                                                                       22\n\x0c            Regarding recommendations 5c and 5d, we accept OAM\xe2\x80\x99s rationale that cost\n            analysis is to be performed by contracting officers. We also concur that OAM\xe2\x80\x99s\n            IGCE training for new contracting officer representatives should address our\n            recommendation. Therefore, we consider recommendations 5c and 5d closed\n            upon issuance of this report.\n\n            For EPA\xe2\x80\x99s detailed comments on this chapter and additional OIG responses, see\n            appendix D.\n\n\n\n\n13-P-0200                                                                                    23\n\x0c                                Status of Recommendations and\n                                  Potential Monetary Benefits\n\n                                                                                                                               POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                                   Planned\n Rec.     Page                                                                                                    Completion   Claimed    Agreed To\n No.       No.                            Subject                             Status1       Action Official          Date      Amount      Amount\n\n   1        8     Re-prioritize the remaining facility upgrades by              O       Assistant Administrator   06/30/2014\n                  security level from highest to lowest, complete all                    for Administration and\n                  remaining upgrades according to security level, and                   Resources Management\n                  require the SMD Director to provide written justification\n                  for upgrading Level 1 facilities.\n\n   2       14     Develop national policies and procedures for PACS             O       Assistant Administrator   03/31/2013\n                  that foster consistent physical access to EPA offices                  for Administration and\n                  around the country.                                                   Resources Management\n\n   3       14     Establish one entity responsible for implementing and         O        Deputy Administrator     06/30/2013\n                  overseeing the Agency\xe2\x80\x99s smartcard program, including\n                  physical and logical access.\n\n   4       21     Hold contracting officers accountable                         C       Assistant Administrator   12/31/2012\n                  for maintaining complete files for PACS contracts,                     for Administration and\n                  including documenting fair and reasonable price                       Resources Management\n                  determinations, progress and completion of contracted\n                  work, and certifying that products for PACS\n                  procurements meet requirements in FAR Part 4.1302.\n\n   5       21     Enforce applicable guidelines pertaining to IGCEs,                    Assistant Administrator\n                  including:                                                             for Administration and\n                     a. Preparing IGCEs for all procurement actions in          O       Resources Management 09/30/2013\n                        excess of the FAR threshold.\n                     b. Adopting an official IGCE format that shall             O                                 09/30/2013\n                        include the name and signature of the preparer,\n                        the date prepared, and the signature of the\n                        approving official.\n                     c. Establishing a process that SMD can use to              C                                 12/21/2012\n                         conduct and document cost analyses of prior\n                         upgrades to ensure that future project costs are\n                         reasonable.\n                     d. Establishing a requirement that SMD staff               C                                 12/21/2012\n                        involved with preparing and reviewing IGCEs\n                        certify that they have read OAM\xe2\x80\x99s IGCE Manual\n                        and understand the guidance.\n\n\n\n\nO = recommendation is open with agreed-to corrective actions pending\nC = recommendation is closed with all agreed-to actions completed\nU = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n13-P-0200                                                                                                                                        24\n\x0c                                                                                   Appendix A\n\n                 Details on Scope and Methodology\nDuring our audit, we reviewed:\n\n   \xef\x82\xb7   HSPD-12 and associated criteria including FIPS 201 and OMB Memos M-05-24,\n       M-06-18, and M-11-11\n   \xef\x82\xb7   EPA plans and policies regarding smartcard implementation\n   \xef\x82\xb7   All contracts that were awarded to upgrade physical and logical access control systems to\n       comply with HSPD-12\n   \xef\x82\xb7   IGCEs and other cost-related documents for PACS contracts\n\nDuring our audit, we interviewed:\n\n   \xef\x82\xb7   SMD\xe2\x80\x99s Director and Deputy Director, as well as the PACS project manager and other staff\n   \xef\x82\xb7   OEI Senior Agency Information Security Officer and staff\n   \xef\x82\xb7   EPA PACS coordinators from all regions where PACS were upgraded\n   \xef\x82\xb7   The EPA contractor who prepared PACS cost estimates for SMD\n   \xef\x82\xb7   OAM contract management staff\n   \xef\x82\xb7   DHS\xe2\x80\x99 Identity Management Division Chief\n\nWe issued a survey to individuals who SMD and OEI designated as primary contacts for\nphysical and logical access systems. We issued the survey to ensure we received widespread\ninput relating to EPA\xe2\x80\x99s progress in implementing HSPD-12.\n\nWe conducted a site visit to EPA\xe2\x80\x99s Region 1 located in the McCormack Building in Boston,\nMassachusetts. We selected Region 1 for a site visit because, of all of the completed upgrades,\nits upgrades were the most costly.\n\nWe coordinated with OMB\xe2\x80\x99s Assistant General Counsel on specific parts of its HSPD-12-related\nmemos.\n\n\n\n\n13-P-0200                                                                                         25\n\x0c                                                                                                Appendix B\n\n                  Prior OIG and GAO Audit Reports\nEPA OIG Reports\nReport                                                                 Recommendations/corrective\n                        HSPD-12 issues identified\nnumber / date                                                                  actions\n09-P-0233,       EPA did not properly account for all property      EPA needed to use established procedures\nSeptember 2009   for implementing the issuance of smartcards        to resolve accountability for the missing\n                 under HSPD-12. The OIG found that: (1) four        property, and review accuracy of HSPD-12\n                 pieces of property valued at $29,538 were          property information. EPA also needed to\n                 missing and not recorded in fixed assets           modify the HSPD-12 contract to reflect\n                 subsystem, (2) acquisition costs in fixed assets   contractor requirements and accountability\n                 subsystem were incorrect for some equipment,       for using government property in\n                 and (3) EPA did not accurately record required     government facilities.\n                 nonfinancial information for several pieces of\n                 property.                                          EPA established a December 2009\n                                                                    milestone for resolving missing HSPD-12\n                                                                    property and updating the Fixed Assets\n                                                                    Subsystem with accurate records. The\n                                                                    Agency also modified the contract on July\n                                                                    22, 2009, to reflect contractor requirements\n                                                                    and accountability for the HSPD-12\n                                                                    property.\n\n08-P-0271,       EPA did not require the EPASS contractor to        EPA needed to (a) develop and maintain an\nSeptember 2008   follow Agency procedures for developing            EPASS System Management Plan,\n                 smartcards. EPASS did not have a certified         (b) appoint an EPASS Project Manager,\n                 Project Manager authorized to oversee the          (c) outline and reinforce compliance with\n                 contractor\xe2\x80\x99s work. EPA also paid for contractor    EPA invoice reviewing guidance, and\n                 labor overcharges worth over $75,000.              (d) ensure EPA collects from the contractor\n                                                                    the amount EPA overpaid for billing rate\n                                                                    errors.\n\n                                                                    EPA agreed to address the\n                                                                    recommendations contained in (a), (b), and\n                                                                    (c) by January 2009. EPA reported it had\n                                                                    already addressed recommendation (d) at\n                                                                    the time its corrective action plan was\n                                                                    issued.\n\n08-P-0267,       An employee\xe2\x80\x99s ID card had the ID documents         EPA needed to (a) update card issuance\nSeptember 2008   and other identifying information of another       procedures (including visually inspecting ID\n                 EPA employee. EPA procedures did not               documents and comparing them to\n                 require EPASS staff to visually inspect            applicant), (b) create incident-handling\n                 employees\xe2\x80\x99 ID documents. EPA also lacked           procedures when errors occur, and (c) create\n                 procedures for handling and disposing of           and implement procedures for disposal of\n                 defective smartcard badges.                        defective ID badges.\n\n                                                                    EPA agreed with all three recommendations\n                                                                    and planned to complete all three by\n                                                                    December 2008.\n\n\n13-P-0200                                                                                                     26\n\x0cDHS OIG Reports\n\nReport\n                        HSPD-12 issues identified                         Effects/recommendations\nnumber / date\nDHS OIG-10-40,   Resources and security issues hinder DHS\xe2\x80\x99          More work remains to ensure that DHS\nJanuary 2010     implementation of HSPD-12. DHS does not            consolidates its infrastructures to support\n                 have a plan to implement successfully a robust     HSPD-12 program. In addition, DHS needs\n                 program to increase physical and logical access    an interface between the card issuance\n                 security within the department. The absence of     system, Identity Management System, and\n                 an HSPD-12 program implementation plan,            PACS. Necessary facility upgrades need to\n                 department-wide deployment strategy, and           be completed at component locations to\n                 sufficient resources are hindering progress.       ensure personal identity verification cards\n                 Components currently have their own                are inter-operable with DHS\xe2\x80\x99 physical and\n                 individual physical access control systems,        logical access control systems.\n                 which will need to be consolidated into DHS\xe2\x80\x99\n                 Headquarters PACS sometime in the future.\nDHS OIG-08-01,   DHS has made progress but more work remains        DHS does not have a certified and\nOctober 2007     in meeting HSPD-12 requirements.                   accredited operational system to support the\n                 DHS has not: (1) effectively managed the           implementation of HSPD-12. Specifically,\n                 implementation to ensure that the department       DHS has not acquired the capability to issue\n                 can meet all mandated milestones, (2) provided     PIV cards to its headquarters employees and\n                 its components with sufficient guidance for        contractors, and bring its system to\n                 their sites implementation of HSPD-12,             production readiness.\n                 (3) complied with OMB implementation\n                 reporting instructions, (4) identified to what\n                 extent PIV cards will be used or required in\n                 order to access facilities or information\n                 systems, and (5) determined which facilities\n                 will require PIV cards in order to gain physical\n                 access.\n\n\n\n\n13-P-0200                                                                                                    27\n\x0cGSA OIG Report\n\nReport\n                            HSPD-12 issues identified                       Effects/recommendations\nnumber / date\nGSA OIG               GSA hindered implementation of the               Although GSA has provided guidance and\nA040111/P/R/R05002,   smartcard credentials by a lack of a vision      procurement vehicles for agencies to\nJanuary 2005          for incorporating the smartcard credential as    implement smartcards, until recently it had\n                      a component of agency-wide security. As a        made only limited progress in\n                      result, the credentialing program will have      implementing smartcards within the\n                      only a limited impact on the security over       agency.\n                      physical access to buildings and facilities\n                      due to a variety of factors, including\n                      inconsistent controls and a lack of\n                      supporting infrastructure. Further, other\n                      aspects of the smartcard initiative\xe2\x80\x94such as\n                      integrated security practices, inter-\n                      operability, and procurement issues\xe2\x80\x94\n                      will also be problematic for an effective\n                      implementation.\n\nGAO Reports\n\nReport\n                         HSPD-12 issues identified                          Effects/recommendations\nnumber / date\nGAO-06-178,      The federal government faces significant             Until agencies address implementation\nFebruary 2006    challenges in implementing FIPS 201. It will be      challenges, the federal government may not\n                 a challenge to test and acquire compliant            fully realize the benefits of FIPS 201.\n                 commercial products\xe2\x80\x94such as smartcards and           Specifically, agencies may not be able to\n                 card readers\xe2\x80\x94within required periods, and            meet implementation deadlines established\n                 reconcile divergent implementation                   by OMB, and more importantly, true inter-\n                 specifications. Incomplete guidance regarding        operability among federal government\n                 the applicability of FIPS 201 to facilities,         agencies\xe2\x80\x99 smartcard programs\xe2\x80\x94one of the\n                 people, and information systems is a potential       major goals of FIPS 201\xe2\x80\x94may not be\n                 for substantial cost increases.                      achieved.\nGAO-05-84T,      While smartcard technology offers benefits,          The successful adoption of smartcards\nOctober 2004     launching smartcard projects\xe2\x80\x94whether large or        throughout the federal government has been\n                 small\xe2\x80\x94has proved challenging to federal              a challenging task, and federal agencies\xe2\x80\x99\n                 agencies and efforts to sustain successful           adoption of this technology continues to\n                 adoption of the technology remains difficult.        evolve.\n\n\n\n\n13-P-0200                                                                                                      28\n\x0c                                                                                                  Appendix C\n\n\n            List of Contracts Awarded as of March 2012\n                         for PACS Upgrades\n#             Contract # / Order                                  Location                           Actual Cost\n1      GS07F0142L / EP06H001120             HQ: Potomac Yard, Arlington, VA                              $560,229\n2      RWA N0043821 Amendment #4            Region 6: COOP - Addison, TX                                  829,584\n       RWA B0334475\n3      RWA A0550220                         Region 1: HQ - Boston, MA                                   3,081,709\n       RWA A0786418\n\n                                            Cincinnati, OH: AWBERC, Norwood, Center Hill,\n4      GS07F0103M DO#5                                                                                    393,374\n                                            Test and Evaluation; Erlanger, KY\n\n       GS07F0317K / EP09H001359             Region 8: HQ Denver, CO; NEIC, NETI (Lakewood,\n5                                                                                                         900,477\n       GS07F0317K / EP09H001605             CO); Golden, CO; Helena, MT\n\n       GS07F0317K / EP10H000322\n                                            Research Triangle Park: Mega Labs A/B, C, D/E,\n6      GS07F0317K / EP10H001635             High Bay; NCC, FEELC, Page Road; Durham /                   1,139,396\n                                            Chapel Hill, NC\n       EP10H001578\n7      GS07F0317K / EP10H002003             Region 6: HQ - Dallas, TX                                     823,094\n       GS07F7823C / EP08H000750\n8      EP10H001533                          Fort Meade, MD                                                255,763\n       GS-07F-7823C/ EP-GIIH-0012 6\n9      GS07F7823C / EP08H001546             Montgomery, AL                                                687,821\n10     GS07F0450K / EP10H002195             Region 5: HQ, Lab; COOP - Willowbrook, IL                     778,790\n                                            Region 3: HQ - Philadelphia, PA; Boothwyn, PA;\n11     GS07F0489V / EP10H002230                                                                           530,394\n                                            Linwood, PA; Wheeling, WV\n12     GS-07F-0317F/ EP-G11H-00204          Ann Arbor Laboratory, MI                                      940,644\n13     GS-07F-0178W/ EPG11H000667           Guaynabo, Puerto Rico                                         587,669\n                                            Region 2: HQ - New York, NY; Edison Lab, Edison,\n14     EP11H000874                                                                                      1,481,898\n                                            NJ\n                                            Region 4: HQ - Atlanta, GA; ERD, SESD, Athens,\n15     GS07F450K / EPG11H00248                                                                            983,985\n                                            GA\n    Total                                                                                           $13,974.828 1\nSource: EPA\xe2\x80\x99s SMD\n\n\n\n1\n The dollar amounts in the table above, in some cases, are higher than the amount EPA spent specifically for PACS.\nThis is because several of those contracts included costs for other security upgrades such as CCTV.\n\n13-P-0200                                                                                                      29\n\x0c                                                                                    Appendix D\n\n                                Agency Response\n                                       December 21, 2012\n\nMEMORANDUM\n\nSUBJECT:\t Response to Office of Inspector General Draft Report No. OA-FY11-1789,\n          \xe2\x80\x9cImprovements Needed in EPA\xe2\x80\x99s Smartcard Program to Ensure Consistent\n          Physical Access Procedures and Cost Reasonableness,\xe2\x80\x9d dated November 8, 2012\n\nFROM:\t         Renee Page\n               Director, Office of Administration\n\n               John R. Bashista        \n\n               Director, Office of Acquisitions Management \n\n\nTO:\t           Melissa Heist\n               Assistant Inspector General for Audit\n\nThank you for the opportunity to respond to the issues and recommendations in the subject draft\naudit report. Following is a summary of the agency\xe2\x80\x99s overall position, along with its position on\neach of the report recommendations. For those report recommendations with which the agency\nagrees, we have provided high-level intended corrective actions and estimated completion dates\nto the extent we can. For those report recommendations with which the agency does not agree,\nwe have explained our position and proposed alternatives to recommendations. We have also\naddressed selected factual inaccuracies in the report.\n\nAGENCY\xe2\x80\x99S OVERALL POSITION\n\nOf the three major components of the federal smart card program\xe2\x80\x93the badge, physical access\ncontrol and logical access control\xe2\x80\x93the Office of Administration is responsible for the first two.\nRegarding the primary subject of this draft report, physical access control, EPA is compliant with\nall applicable federal requirements and technical standards. We disagree with Recommendations\n1 and 2 and all related text indicating we are not compliant. We agree with Recommendation 3.\nThe report as a whole presents an inaccurate picture of the EPASS physical access control\nprogram. The majority of conclusions concerning physical access are not supported by sufficient\nand relevant evidence and are not logical inferences about the program.\n\nRegarding the contracts-related portions of the report, the Office of Acquisition Management\nagrees with Recommendation 4; the findings in the draft report are consistent with similar\nfindings under the Office of Acquisition Management\xe2\x80\x99s previous quality assurance program,\nwhich indicated a need to improve EPA\xe2\x80\x99s acquisition-related internal controls and oversight\nsystems. OAM partially agrees with Recommendation 5, and believes the documentation\nsupporting the sub-recommendations inflates the level of significance of the findings.\n\n13-P-0200                                                                                       30\n\x0cAGENCY\xe2\x80\x99S RESPONSE TO REPORT RECOMMENDATIONS\n\nAgreements\n\n                                                                                   Estimated\n                                                   High-Level Intended\nNo.             Recommendation                                                   Completion by\n                                                   Corrective Action(s)\n                                                                                 Quarter and FY\n      Establish one entity responsible for   Under direction of the Deputy\n      implementing and overseeing the        Administrator, relevant\n      agency\xe2\x80\x99s smartcard program,            stakeholders will convene to\n 3                                                                            Q3 FY 2013\n      including physical and logical         determine the entity responsible\n      access.                                for implementing and overseeing\n                                             the program.\n     Hold contracting officers\n     accountable for maintaining\n     complete files for PACS contracts,\n     including documenting fair and\n     reasonable price determinations,                                            Completed\n 4                                           See discussion below\n     progress and completion of                                                  Q1 FY 2013\n     contracted work, and certifying that\n     products for PACS procurements\n     meet requirements in FAR Part\n     4.1302.\n     Enforce applicable guidelines\n     pertaining to IGCE, including:\n     a. Preparing IGCEs for all\n                                                                                 a. Q4 FY\n         procurement actions in excess of\n                                                                                    2013\n         the FAR threshold.\n                                                                                 b. Completed\n5a-b b. Adopting an official IGCE            See discussion below\n                                                                                    Q1 FY\n         format that shall include the\n                                                                                    2013\n         name and signature of the\n         preparer, the date prepared, and\n         the signature of the approving\n         official.\n\n\nRecommendation 4\n\nOARM/OAM agrees with this recommendation. Acquisition Handbook Chapters 4 and 42, and\nContract Management Manual Chapters 7 and 42, contain significant policy and guidance\npertaining to contract file documentation, such as required supporting documentation, approvals,\nand checklists. Findings in the Draft Report are consistent with similar findings under OAM\xe2\x80\x99s\nprevious Quality Assurance Program which indicated a need to improve EPA\xe2\x80\x99s acquisition-\nrelated internal controls and oversight systems. As such, in FY 2011 OAM implemented the\nBalanced Scorecard (BSC) Performance Measurement and Management Program. Under the\n\n13-P-0200                                                                                     31\n\x0cBSC Program, OAM uses a combination of objective performance measures, quality assurance\nplans, self-assessment reviews, peer reviews, and training, to review, ensure and facilitate\ncompliance with procurement statutes, regulations, policies, procedures, and other guidance.\n\nTo ensure file quality, OAM conducts multiple types of contract file reviews including: routine\npeer reviews and random sampling file reviews in accordance with contracting office Quality\nAssurance Plans (QAPs), and Self-Assessment Reviews under the OAM-wide Contract\nManagement Assessment Program (CMAP) review. In each of these reviews, contract file\ncontent in terms of compliance and quality are meaningful review elements. Findings resulting\nfrom these reviews are provided to the Contracting Officers of record for corrective action if\nnecessary, and are used by the organization to identify policy gaps, and as possible training\ntopics for contracting staff.\n\nRecommendation 5\n\nAs a general comment on the OIG\xe2\x80\x99s review in this area, OAM believes the documentation\nsupporting these recommendations inflates the level of significance of these findings. Of the 22\nfiles cited in the report, 18 were for the acquisition of supplies or services that meet the definition\nof a commercial item so a detailed IGCE is not required, 16 were acquired on a firm-fixed-price\nbasis so a detailed IGCE is not required, 15 were for GSA Schedule orders so a detailed IGCE\nwas not required, and 6 were valued at less than the Simplified Acquisition Threshold so an\nIGCE was not required. However, OAM continues to make efforts to ensure proper IGCEs are\ndeveloped with new procurement packages as required by CMM 7.3.5.7. In October 2012, OAM\nreleased Interim Policy Notice 12-03 \xe2\x80\x93 Acquisition Planning, which puts greater emphasis on the\ncombined planning efforts (including the development of IGCEs) of the program and contracting\noffices for each new acquisition greater than the SAT.\n\nSub-recommendation a: Having raised these anomalies, OAM agrees IGCE policy as currently\nwritten fails to distinguish between different types of IGCEs or the level of detail required in an\nIGCE for different types of acquisitions. As indicated above, many of the contract files reviewed\nin this audit were for commercial item products acquired competitively on a firm-fixed-price\n(FFP) basis through contracts managed by the General Services Administration (i.e. GSA\nSchedule Contracts). Competitive orders for FFP commercial item products through GSA\nSchedule Contracts do not rely on a detailed estimate of cost elements found in an IGCE as the\nbasis for fair and reasonable pricing. In these instances, the most appropriate type of IGCE would\nbe for a \xe2\x80\x9cPrice Estimate\xe2\x80\x9d which the Federal Acquisition Institute (FAI) describes as \xe2\x80\x9ca bottom\nline firm-fixed price\xe2\x80\x9d. Accordingly, OAM will review current policy to provide more details and\nspecific guidance on the circumstances under which an IGCE is required, including at what\nthreshold, as well as the content and level of detail and documentation required, to ensure clarity\nand consistency of IGCE\xe2\x80\x99s, and also to ensure IGCE\xe2\x80\x99s serve as meaningful tools in the\nacquisition process.\n\nSub-recommendation b: The EPA Guide for Preparing Independent Government Cost\nEstimates, June 2010 published on OAM\xe2\x80\x99s web-site contains information and guidance on the\ntypes, methodologies, and techniques for developing IGCE\xe2\x80\x99s, as well as samples and approaches.\nHowever, emphasis on the program specific nature of the IGCE is a common theme throughout\n\n\n13-P-0200                                                                                           32\n\x0cthe guide, and as such there is no way to develop a \xe2\x80\x9cone-size-fits-all\xe2\x80\x9d IGCE format. OAM does\nagree that IGCE\xe2\x80\x99s should be thoughtfully prepared and reviewed. To that end, OAM is currently\ndeveloping a Paperless Acquisition Program to receive procurement documentation exclusively\nin electronic format through the Agency\xe2\x80\x99s acquisition system, EAS. EAS allows program offices\nwith new contract requirements to attach supporting documents (including IGCEs) into an\nelectronic requisition and route through the program office for review and approval. OAM\nbelieves creation of this electronic record will both increase the efficiency of the procurement\nprocess, but also satisfy sub-recommendation b.\n\nDisagreements\n\n                                            Agency Explanation/\nNo.             Recommendation                                         Proposed Alternative\n                                                Response\n                                                                    Continue with current\n                                                                    implementation sequencing,\n                                                                    which in large part achieves\n                                                                    the aim of the\n      Reprioritize the remaining facility\n                                                                    recommendation: all\n      upgrades by security level from\n                                                                    remaining Facility Security\n      highest to lowest, complete all\n                                                                    Level (FSL) 4 upgrades will\n      remaining upgrades according to\n 1                                          See discussion below    have been initiated by Q2\n      security level, and require the\n                                                                    FY13; all FSL 3s by Q3\n      SMD director to provide written\n                                                                    FY13; all 2s by Q3 FY14.\n      justification for upgrading Level 1\n                                                                    The SMD Director will\n      facilities.\n                                                                    provide written justification\n                                                                    to the OARM Assistant\n                                                                    Administrator for any FSL 1\n                                                                    upgrades.\n                                                                    Submit for EPA directives\n                                                                    clearance process a draft\n      Develop national policies and                                 EPA-wide policy, Use of the\n      procedures for PACS that foster                               PIV Card for Facility\n 2    consistent and inter-operable         See discussion below    Access, Q2 FY 2013. Create\n      physical access to EPA offices                                and disseminate outreach on\n      around the country.                                           existing inter-operable\n                                                                    capabilities to regional\n                                                                    personnel, Q2 FY 2013.\n\n\n\n\n13-P-0200                                                                                     33\n\x0c                                             Agency Explanation/\nNo.            Recommendation                                             Proposed Alternative\n                                                 Response\n     Enforce applicable guidelines\n     pertaining to IGCE, including:\n     c. Establishing a process that\n         SMD staff can use to conduct\n         and document cost analyses of\n         prior upgrades to ensure that\n         future project costs are\n5c-d                                         See discussion below     N/A\n         reasonable.\n     d. Establishing a requirement that\n         SMD staff involved with\n         preparing and reviewing\n         IGCEs certify that they have\n         read OAM\xe2\x80\x99s IGCE Manual\n         and understand the guidance.\n\n\n\nRecommendation 1\n\nOA disagrees with Recommendation 1 for the following reasons (explained in more detail\nbelow): Facility security level is one, but not the only, criterion for prioritizing PACS projects;\nthe rationale for the recommendation, \xe2\x80\x9c...some facilities housing hundreds or even thousands of\nemployees along with other important assets did not require the higher level of authentication to\ngain access as some facilities of lesser value and importance\xe2\x80\x9d (p. 7) is not supported by evidence\nand confuses the role of authentication; and any reprioritizing at this advanced stage of the\noverall PACS project would be costly and unnecessary, particularly since the remaining\nsequencing in large part accomplishes the aim of the recommendation.\n\n   OIG Comment: At the time we completed our work, EPA had not upgraded Security\n   Level 4 facilities within headquarters. Access to these facilities is gained by showing a\n   badge to a security guard rather than using a smartcard badge and a PACS reader.\n   Conversely, in other locations, EPA did update some lower level facilities with PACS\n   readers. In one case, EPA upgraded a vehicle storage building that did not permanently\n   house any EPA employees. EPA\xe2\x80\x99s most critical assets, where more people and other\n   important resources reside, should be upgraded before its lower level facilities.\n\n\n       Security level is not the only criterion for prioritizing: EPA\xe2\x80\x99s PACS program is\n       accountable to OMB, and nowhere does OMB stipulate that PACS be upgraded\n       according to facility security level (FSL). The report\xe2\x80\x99s statement, \xe2\x80\x9cEight years after\n       President Bush signed HSPD-12, EPA has not upgraded all of its most critical facilities,\xe2\x80\x9d\n       (p. 7), is not relevant since OMB leaves sequencing to the agencies. EPA is fully\n       compliant with its OMB plan, which is to install PIV-enabled PACS at 5-8 facilities per\n       year, with completion by the end of FY 2015.\n\n13-P-0200                                                                                        34\n\x0c    OIG Comment: In 2008, EPA provided OEI\xe2\x80\x99s HSPD-12 Physical Access Controls\n    and Logical Access Controls Plan to OMB. In 2009, EPA issued its EPASS Project\n    Management Plan. Both plans laid out the priority in which EPA would upgrade PACS.\n    They documented that EPA would upgrade new construction or leases first, followed by\n    facilities based on security level ratings. The 2008 plan stated, \xe2\x80\x9c\xe2\x80\xa6EPA will mitigate its\n    highest risks first thus protecting our higher valued targets early on in the\n    implementation process.\xe2\x80\x9d The plan also stated that EPA would complete upgrading all\n    of its Security Level 4 facilities by December 2011. Similar to EPA Order 3200, the\n    2008 plan also stated that existing Security Level 1 facilities would not be upgraded.\n    We continue to believe that EPA did not follow the plan as submitted to OMB.\n\n\n      Likewise, HSPD-12 and its implementing standards do not stipulate PACS sequencing or\n      that PACS be upgraded according to FSL. FSL is derived from an Interagency Security\n      Committee (ISC) 2008 standard, Facility Security Level Determinations for Federal\n      Facilities. That standard defines FSL as a \xe2\x80\x9ccategorization based on the analysis of several\n      security-related facility factors, which then serves as the basis for the implementation of\n      certain protective security measures specified in other ISC standards\xe2\x80\x9d (p. 2), not in\n      HSPD-12 standards. EPA complies with the ISC\xe2\x80\x99s 2010 Physical Security Criteria for\n      Federal Facilities to mitigate vulnerabilities by FSL-appropriate means, agency wide,\n      including vulnerabilities related to facility access controls. The ISC standard does not\n      mention PIV-enabled PACS among physical access control protective measures.\n\n    OIG Comment: EPA\xe2\x80\x99s comments in the preceding paragraph do not include all of the\n    criteria for which it was accountable. EPA did not follow the process for upgrading the\n    PACS program that was defined in the plans it submitted to OMB in 2008 or EPA\n    Order 3200\xe2\x80\x94the Agency\xe2\x80\x99s policy for implementing EPA\xe2\x80\x99s smartcard program. Our\n    report does not recommend any changes to processes and procedures where EPA is\n    already compliant. Instead, our recommendations target those areas where EPA has not\n    been compliant.\n\n      EPA\xe2\x80\x99s PACS sequencing has evolved since 2005, as is appropriate, to reflect new and\n      changing technical standards, federal priorities, enhanced technology, the ability to\n      network PACS, lessons learned, and opportunities to decrease waste and improve\n      efficiency and cost effectiveness. EPA considers FSLs in sequencing PACS upgrades, but\n      also considers existing PACS that are failing, new construction or leases, and facilities\n      housing critical infrastructure and key resources. Please note that at EPA, some critical\n      infrastructure and systems (such as those in COOP facilities) are housed in facilities that,\n      per ISC standards, are FSL 1 or 2 because of their small size, small population and lack\n      of symbolic importance.\n\n      On a case-by-case basis, certain facilities that are in close proximity to priority PACS\n      implementation sites and that would eventually be scheduled for PACS upgrades are\n      included with nearby, higher-priority projects to reduce cost, improve efficiency, and\n      align IT infrastructure. To give a dramatic example of the cost efficiencies gained:\n          \xef\x82\xb7 At an earlier phase of the PACS program, the Region 6 Addison and Dallas\n              facilities, with approximately 150 card readers between them, were upgraded\n              under separate contracts for a combined cost of $1,283,665.\n\n\n13-P-0200                                                                                        35\n\x0c            \xef\x82\xb7\t The Region 2 New York and Edison facilities, with over 200 card readers\n               between them, were upgraded under a single contract at a cost of $909,290.\n\n      OA agrees with the OIG that we should have updated documents that referenced the\n      sequencing plans. We have revised the PACS-related section of our 2012 submission to\n      OMB to reflect our current sequencing considerations (although that is not required) and\n      we have updated our EPASS project management plan. EPA Order 3200, EPA Personal\n      Identity Verification and Smartcard Program, will be updated in CY 2013 by a one-EPA\n      team of stakeholders, and any reference to PACS sequencing will be deleted.\n\n       OIG Comment: We are pleased that EPA agrees that they should have updated\n       these critical documents earlier. These official documents stated EPA\xe2\x80\x99s plans for\n       upgrading facilities in terms of the number to be upgraded and by what date. The\n       documents represented the official EPA plans and as such should have been\n       revised when SMD knew it was changing its plans.\n\n      Authentication is not a sequencing issue: The following OIG conclusions reflect a\n      misunderstanding of the role of identity verification and authentication:\n         \xef\x82\xb7 \xe2\x80\x9c...some of EPA\xe2\x80\x99s most critical facilities do not require as stringent an identity\n            verification process for access as some of its least important facilities\xe2\x80\x9d (p. 4).\n         \xef\x82\xb7 \xe2\x80\x9c...some facilities housing hundreds or even thousands of employees along with\n            other important assets did not require the higher level of authentication to gain\n            access as some facilities of lesser value and importance\xe2\x80\x9d (p. 7).\n\n      First, no federal mandate or standard, including the HSPD-12 implementing standard\n      FIPS 201-1, stipulates that identity verification or authentication determine the order of\n      PIV-enabled PACS implementation. Per FIPS 201-1: \xe2\x80\x9cPIV Cards can be used for identity\n      authentication in environments that are equipped with card readers as well as those that\n      lack card readers\xe2\x80\x9d (p. 46). FIPS 201-1 defines authentication as: \xe2\x80\x9cThe process of\n      establishing confidence of authenticity; in this case in the validity of a person\xe2\x80\x99s identity\n      and the PIV card\xe2\x80\x9d (p. 70). In addition, 99% of EPA federal employees (95% of all\n      personnel when non-federal employees are included) have completed HSPD-12-\n      mandated identity verification and authentication in the form of a background\n      investigation, identity proofing, and PIV card/EPASS badge issuance.\n\n       OIG Comment: The comments in the preceding paragraph relate to requirements\n       for smartcard identification badges. The content in our report deals with EPA\xe2\x80\x99s\n       implementation and use of PACS along with the smartcard badge. The smartcard\n       badges are just one piece of the overall physical access process. Our report raises\n       issues EPA needs to address to improve its overall process for physical access.\n\n\n      Second, OIG conclusions are based on subjective characterizations of facilities as \xe2\x80\x9cmost\n      critical (p. 4),\xe2\x80\x9d \xe2\x80\x9cless critical (At a Glance), \xe2\x80\x9cleast important (p. 4),\xe2\x80\x9d \xe2\x80\x9cmost important (At a\n      Glance),\xe2\x80\x9d \xe2\x80\x9ccritical and most valued (p. 4),\xe2\x80\x9d \xe2\x80\x9cof lesser value and importance (p. 7).\xe2\x80\x9d No\n      physical security standard or smartcard mandate ranks buildings as most or least\n\n13-P-0200                                                                                         36\n\x0c      important, most or least critical, or most or least valuable. Although the report claims to\n      cite the ISC Facility Security Level Determinations for Federal Facilities, \xe2\x80\x9cLevel 4\n      facilities are also of high importance and require the next highest degree of protection,\n      and so forth down to Level 1 facilities\xe2\x80\x9d (p. 5), the ISC standard does not state that. Per\n      ISC standards, protective measures are based on a risk management system that considers\n      FSL, identification of a baseline Level of Protection (LOP), and determination of\n      acceptable levels of risk. Again, PIV-enabled PACS are not among the protective\n      measures addressed in the ISC Physical Security Criteria for Federal Facilities.\n\n       OIG Comment: The document titled Facility Security Level Determinations for\n       Federal Facilities explains and defines the hierarchy of rankings that federal\n       agencies should use to determine the level of each facility. That document states\n       that the higher the designated level of a facility the more valuable and critical\n       that facility is to achieving an agency\xe2\x80\x99s mission. It also states that the degree of\n       protection should be commensurate with each designated security level, with\n       higher security levels requiring greater protection. While the standard titled\n       Physical Security Criteria for Federal Facilities may not specifically discuss\n       PIV-enabled PACS, the purpose of the smartcards and related systems are to\n       increase and improve security and protection.\n\n      The OIG\xe2\x80\x99s conclusion that the agency\xe2\x80\x99s PACS upgrade sequencing has somehow left\n      \xe2\x80\x9chundreds and even thousands of EPA employees\xe2\x80\x9d (p. 5) at risk is not logical and not\n      supported by fact. The agency mitigates risk and vulnerability at all facilities per ISC\n      standards, in which PIV-enabled PACS figure not at all.\n\n       OIG Comment: As stated in our comment above, Security Level 4 facilities, by\n       definition, are higher value assets, and EPA states the same in the plan it\n       submitted to OMB in 2008. Further, having operational PACS in place at such\n       facilities provides an additional layer of security by increasing the number of\n       levels of authentication needed to gain access. EPA asserts that PACS systems\n       do not add security over what was in place. If PACS systems add no additional\n       security, this raises the question why EPA would plan to spend nearly $56\n       million on this program. EPA is complying with HSPD-12 and subsequent\n       requirements because the smartcard and associated systems increase security and\n       safety, which was the intent behind HSPD-12.\n\n\n\n      The majority of upgrades have already been initiated: Making changes to PACS\n      sequencing at this late stage of the program would be costly, disruptive and unnecessary,\n      not only for the reasons above, but because the remaining schedule largely accomplishes\n      the aim of the OIG recommendation. The contracts for the remaining Level 4 upgrades\n      will be awarded in Q2 FY 2013. All remaining Level 3 upgrades are scheduled for award\n      by Q3 FY 2013 and all remaining Level 2 upgrades by Q3 FY14.\n\n\n\n\n13-P-0200                                                                                        37\n\x0cProposed Alternative:\nContinue with current implementation sequencing, which in large part achieves the aim of the\nrecommendation: all remaining FSL 4 upgrades will be initiated by Q2 FY 2013; all FSL 3s by\nQ3 FY 2013; and all FSL 2s by Q3 FY14. The SMD Director will provide written justification to\nthe Assistant Administrator of OARM for any FSL 1 projects.\n\n   OIG Comment: We agree with EPA\xe2\x80\x99s proposed alternative to complete Security Level 4\n   facilities before completing upgrades to lower level facilities, and that the SMD Director\n   will provide written justification to the Assistant Administrator for OARM prior to\n   updating any Security Level 1 facilities.\n\nRecommendation 2\n\nOur disagreement is with the presence of the word \xe2\x80\x9cinter-operable\xe2\x80\x9d in the recommendation and\nthe misunderstanding it represents. The EPASS badge, per FIPS 201 requirements, is inherently\nintra-operable across the agency and inter-operable with other agencies. Within EPA, any\nEPASS badge can be authenticated and granted access to any PIV-enabled PACS. EPA PIV-\nenabled PACS can authenticate PIV cards issued by other agencies, and our EPASS badges are\naccepted at other agencies\xe2\x80\x99 PIV-enabled PACS. The EPASS badge and PACS programs fully\nsupport inter- and intra-operability in compliance with all governing authorities and technical\nstandards; all statements in the draft audit indicating otherwise are incorrect (see additional\ncomments on accuracy of draft report, below).\n\n   OIG Comment: We understand that the EPASS badge is designed and produced to have\n   the capabilities to be both intra- and inter-operable and we do not question that in this\n   report. The point we make in chapter 3 is that, in practice, these security systems at EPA\n   facilities across the country are operated in dissimilar ways and were not fostering\n   consistent access to facilities by EPA employees. We believe that EPA\xe2\x80\x99s response is one\n   related to semantics rather than substance as EPA states that it has been lacking\n   nationwide policies and procedures that foster consistent facility access using the\n   smartcard (see next OIG comment).\n\n\nWhat is lacking is not intra- and inter-operability, but rather: 1) a clear local understanding of the\nintra- and inter-operable capabilities of Personal Identity Verification (PIV) cards and existing\nPACS; and 2) agencywide policy on use of the PIV card for facility access. The proposed\nalternative below addresses both of these issues. We agree with the OIG that fostering consistent\nfacility access procedures is important, with the understanding that procedures need to be\nresponsive to local security conditions and the wide range of real estate arrangements at EPA. One\nsize cannot fit all when circumstances include EPA-owned and leased, privately owned, GSA-\nowned and leased, single and multi-tenant, and mixed federal and private tenant arrangements.\n\n    OIG Comment: We agree with EPA that what has been lacking is a national EPA-wide\n    policy and procedures for ensuring consistent access procedures for all EPA employees.\n\n\n13-P-0200                                                                                         38\n\x0cProposed Alternative:\nOARM requests that the words \xe2\x80\x9cand inter-operable\xe2\x80\x9d be removed from Recommendation 2 so that\nwe can fully agree with the text. We are planning to foster consistent facility access control\nprocedures and improve regional understanding of intra- and inter-operable capabilities of\nexisting PACS. To achieve this, OARM will create and disseminate to regional personnel\noutreach on existing inter-operable capabilities in Q2 FY 2013. EPA will also submit for the\ndirectives clearance process an EPA-wide policy, Use of the PIV Card for Facility Access, in Q2\nFY 2013. The policy is the result of a one-EPA effort and addresses the requirements for\npermitting unescorted access to EPA facilities where physical access is controlled by a PIV-\nenabled PACS. The purpose of the policy is to:\n    \xef\x82\xb7 Provide consistent application of physical access controls\n    \xef\x82\xb7 Describe requirements for granting access to PIV-enabled EPA-controlled buildings and\n        spaces\n    \xef\x82\xb7 Define the security roles and responsibilities of all parties involved in granting access to\n        EPA facilities\n\n  OIG Comment: We removed the words \xe2\x80\x9cand inter-operable\xe2\x80\x9d from recommendation 2 in\n  our draft report. As currently implemented, EPA\xe2\x80\x99s PACS and smartcard badges do not\n  allow consistent facility access to EPA and other federal employees as intended. We do\n  agree with EPA\xe2\x80\x99s proposed recommendation to develop and implement a policy that will\n  allow for consistent facility access control procedures and improve regional understanding\n  of intra- and inter-operable capabilities before March 31, 2013.\n\n\nRecommendation 5c-d (see general comment under Recommendation 5, above)\n\nSub-recommendation c: The intent and basis for this recommendation is unclear, and as such,\nOAM is unable to provide a response without further clarification/information from the OIG.\nThe FAR (3.501-2, 15.305, 15.402, 15.404, 15.405, 15.406, 43.204) sets forth responsibility for\nconducting cost analysis with the Contracting Officer. Accordingly, the recommendation to\nestablish a process to ensure SMD conducts cost analysis assigns responsibility for this critical\nfunction contrary to regulation. With regard to ensuring adequate cost analysis is performed,\nOAM\xe2\x80\x99s oversight program is described in the response to recommendation 4 above.\n\n  OIG Comment: The intent of this recommendation is to ensure that SMD considers cost\n  through meaningful analysis before spending taxpayer dollars on its programs. We are not\n  suggesting that OARM removes responsibility from contracting officers. We believe cost\n  analysis is a useful and necessary process across all programs and divisions that use\n  contractors to carry out EPA\xe2\x80\x99s mission. The EPA Guide for Preparing Independent\n  Government Cost Estimates, prepared by OAM, states, \xe2\x80\x9cThe FAR considers IGCE\xe2\x80\x99s an\n  integral part of the acquisition process. A successful acquisition process requires\n  collaboration between the program and procurement offices. When a Program Office\n  prepares a meaningful IGCE, the CO may use that document to facilitate the determination\n  of fair and reasonable pricing in the procurement process. As a result, all parties benefit from\n  a well prepared IGCE.\xe2\x80\x9d\n\n\n13-P-0200                                                                                        39\n\x0cSub-recommendation d: OAM makes training on IGCE\xe2\x80\x99s available to through various OAM\nsponsored and conducted training sessions. Additionally, under the new three tiered COR\ntraining and certification program, OAM will continue to ensure the COR curriculum includes\ntraining on IGCE\xe2\x80\x99s. Accordingly, completion of IGCE training is incorporated under COR\ncertification. As a result, OAM believes that the separate IGCE training certification\nrecommended by the OIG is both redundant and unnecessary.\n\n   OIG Comment: We agree with the action EPA has taken to make IGCE training\n   available. However, in a face-to-face interview on March 20, 2012, in Washington, DC,\n   the SMD PACS project manager and an SMD contracting officer representative both told\n   us that they: (1) were not familiar with the EPA Guide for Preparing Independent\n   Government Cost Estimates or the GAO Cost Estimating and Assessment Guide, and (2)\n   had not been offered any training on preparing IGCEs in general. Therefore, EPA should\n   ensure that appropriate staff are aware of available IGCE training and take the training.\n\nSome Additional Factual Inaccuracies in the Draft Report\n\nOA requests that the following indirect quotations attributed to SMD Director [name removed]\nbe removed from the report. The OIG versions of her words do not reflect what she said, create\nan unwarranted and unsubstantiated negative personal portrayal and do not qualify as relevant\nevidence (emphasis added):\n    \xef\x82\xb7\t \xe2\x80\x9cThe SMD Director also said that EPA did not want to make mistakes upgrading its\n       headquarters buildings so it has been upgrading other buildings first\xe2\x80\x9d (p. 4). The report\n       repeats this inaccurate claim in two other places: \xe2\x80\x9cAlso, EPA indicated it did not want to\n       make mistakes upgrading headquarters buildings so it upgraded others first\xe2\x80\x9d (At a\n       Glance), and \xe2\x80\x9cThe Director said that they did not want to make mistakes at headquarters\n       and were therefore upgrading other buildings first and leaving the upgrades of\n       headquarters buildings toward the end of the project\xe2\x80\x9d (p. 6).\n\n  OIG Comment: During a June 21, 2011 meeting with the SMD Director, we questioned\n  the decision not to upgrade Headquarters\xe2\x80\x99 buildings before other lower level facilities. We\n  believe the statements in the report accurately paraphrase those discussions.\n\n\n\n\n13-P-0200                                                                                       40\n\x0c   \xef\x82\xb7     \xe2\x80\x9cThe SMD Director told us she believed it was more efficient and logistically made\n        more sense to upgrade facilities based on geographic location. She said that SMD\n        preferred to award one contract for each location or region and have all facilities in that\n        area upgraded simultaneously. SMD could not provide data or documented justification\n        showing that it was more efficient to upgrade based on location; the Director said SMD\n        did not have such data because the increased efficiency was obvious\xe2\x80\x9d (p. 6).\n\n       OIG Comment: On December 14, 2011, the SMD Director sent the OIG an email\n       that stated:\n            \xe2\x80\x9cImplementing PACS facility-by-facility requires separate and distinct systems\n            to be installed in each individual facility. Several criteria were considered when\n            comparing a facility-based approach to an enterprise approach. These criteria\n            included the cost of hardware and software and the increased technical\n            complexity caused by the volume of systems. No quantitative data was produced\n            because of the obvious cost advantage. For example, to install independent\n            PACS across five facilities would require two servers (primary and backup) per\n            location, totaling 10 servers across the five locations, and 5 vendor application\n            licenses. In comparison, covering the five locations with a single enterprise\n            implementation requires only two servers and one vendor application license.\n            The cost differential is obvious without a detailed quantitative analysis.\xe2\x80\x9d\n\n   \xef\x82\xb7\t \xe2\x80\x9cWe asked the SMD Director if she had considered other contracting approaches to\n      upgrading facilities that emphasized security level first rather than all facilities in a given\n      geographic area at the same time. She said that she had not thought of that and would\n      have to consult with OAM to determine whether EPA could have used other contracting\n      options\xe2\x80\x9d (p. 7).\n\n        OIG Comment: We asked the SMD Director on December 21, 2011, whether SMD\n        had considered the possibility of awarding a national contract to first upgrade Security\n        Level 4 facilities that would contain the option to go back to a particular geographic\n        area at a later time to upgrade lower-level facilities in that same location. The SMD\n        Director said to us that she had never thought of that option and she would need to\n        consult with a contracting expert in OAM to determine whether that was feasible.\n\n\nWe request deletion of unsupported speculation on what might have been effective contracting in\n2006 or what might have been done at that time. The OIG presents conjecture on a complex issue\nby an individual who likely did not identify herself to the OIG as expert in the identification of\nEPA\xe2\x80\x99s \xe2\x80\x9cmost critical assets\xe2\x80\x9d or in what constitutes a proper \xe2\x80\x9cprioritized order\xe2\x80\x9d for PACS\nsequencing. This text does not qualify as relevant evidence and does not contribute to logical\ninferences based on findings (emphasis added):\n    \xef\x82\xb7\t \xe2\x80\x9cWe discussed this issue with the OAM contracting officer for some PACS contracts and\n        she told us that awarding contracts in order of facility security level could have been an\n        effective alternative without resulting in greater cost. She said that SMD could have\n        awarded national contracts at the beginning of this program to focus first on upgrading all\n\n13-P-0200                                                                                             41\n\x0c       Level 4s. She said that after SMD upgraded those facilities, additional national contracts\n       could have been awarded to upgrade the Level 3s and so on, thereby addressing the most\n       critical assets in a prioritized order\xe2\x80\x9d (p. 7).\n\n   OIG Comment: We discussed possible contracting options with an EPA contracting\n   officer responsible for awarding PACS contracts. The contracting officer provided us with\n   her views on additional options mentioned in the report. We believe that this contracting\n   officer would have the knowledge and background to provide credible contracting options\n   for awarding PACS contracts.\n\n\nWe request deletion or correction of all statements indicating EPA has not achieved intra- and\ninter-operability; EPA has achieved full intra- and inter-operability (see discussion of\nRecommendation 2, above).\n\n  OIG Comment: EPA has achieved the potential for intra- and inter-operability through the\n  EPASS badge. However, the use of the smartcards and the physical access control systems\n  is not consistently applied across EPA. We agree with EPA that it needs nationwide\n  policies and procedures that foster consistent facility access using the smartcard and we\n  encourage the Agency to finalize those policies and procedures as soon as possible.\n\n\nWe request deletion of the following inaccurate statement: \xe2\x80\x9cAnother reason the PACS upgrade\nhas been inconsistent is that SMD has not been accountable for how it is carrying out the\nprogram\xe2\x80\x9d (p. 11). SMD is accountable to the agency and OMB and provides all reporting that the\nagency and OMB require. Our PACS accountability includes:\n    \xef\x82\xb7 A monthly data call to OMB on earned value management, performance and risk\n       management, including PACS schedules and costs\n    \xef\x82\xb7 An updated EPASS implementation plan sent to OMB in July 2012\n    \xef\x82\xb7 An annual data call to OMB for EPA\xe2\x80\x99s PortfolioStat in June 2012\n    \xef\x82\xb7 A yearly Capital Planning and Investment Control (CPIC) report to OMB\n    \xef\x82\xb7 An annual report on EPASS, including PACS, as part of the Federal Managers Financial\n       Integrity Act assurance process\n    \xef\x82\xb7 A yearly Chief Information Officer CPIC investment review\n\n  OIG Comment: We deleted the statement from our draft report that SMD has not been\n  accountable for carrying out the program. We agree that SMD generates a number of\n  reports for OMB. Our position is that EPA does not have a clearly identified office in\n  charge of its smartcard program. Responsibility for the program is split between OARM\n  and OEI.\n\n\nThe OIG makes incorrect connections between accountability, leadership and inconsistency\n(emphasis added). \xe2\x80\x9cEPA should also increase accountability over its smartcard program by\nclearly identifying one senior executive responsible for implementation and oversight. Stronger\nleadership over the program should help address the issues related to inconsistency that we have\n\n13-P-0200                                                                                        42\n\x0cidentified\xe2\x80\x9d (p. 13). The inconsistency referenced here refers to an earlier OIG statement:\n\xe2\x80\x9cHowever, the inconsistency with which EPA has upgraded PACS is impeding EPA\xe2\x80\x99s ability to\nhave intra-operable systems for EPA employees, much less inter-operability with other agencies\xe2\x80\x9d\n(p. 13). As explained in our response to Recommendation 2, the PACS program has achieved full\nintra- and inter-operability; as explained in the previous paragraph, our PACS program is already\naccountable to EPA and OMB. We agree that a single entity to oversee the smartcard program is\nneeded to make the agency compliant with OMB Memorandum M-11-11 and position the\nprogram to implement EPA\xe2\x80\x99s Identity, Credential, and Access Management initiative.\n\n OIG Comment: EPA implemented this program from 2008 through 2012 in a manner that\n was not consistent with the plan submitted to OMB. We recognize that SMD responded to this\n issue identified during our audit by submitting a revised plan to OMB in July 2012. This was a\n positive step to increasing accountability. However, EPA\xe2\x80\x99s accountability for implementing\n the PACS program is diminished without identifying a senior executive responsible for the\n PACS program. Regarding the second part of the paragraph above, EPA is not implementing\n the physical access control system in a consistent manner. Different locations use different\n procedures for access and there has been no national standard to guide this process.\n\nThe following OIG language is unnecessary and inflammatory (emphasis added): \xe2\x80\x9cIn addition,\nEPA\xe2\x80\x99s Criminal Investigation Division (CID) initially stated that it was not going to upgrade its\nfacilities because it did not agree with the direction of the smartcard program, and SMD allowed\nCID to dictate that decision when it should not have\xe2\x80\x9d (p. 9). CID did not interact with SMD in\nthis manner. The two organizations have been collaborative and collegial. We request that the\nunderlined text be removed.\n\n OIG Comment: In discussions with CID and SMD, we found that CID Dallas, Texas, elected\n not to participate in the program. SMD did not take action to ensure CID was included in the\n program until we pointed out to them that the space was accessible to the general public. We\n have adjusted the report language to this effect.\n\n\nThe table on p. 6 of the report, as well as information derived from the table throughout the\nreport, does not accurately reflect the data provided by SMD to the OIG. To give one example,\nthe OIG counts only one FSL 4 facility at Research Triangle Park; however, SMD upgraded\nPACS at multiple FSL 4 facilities there.\n\n OIG Comment: During this audit, EPA provided us with multiple lists of EPA facilities that\n were different and some contained discrepancies. Further, in some spreadsheets SMD provided\n us they counted a location as one facility and in others they counted each building at that\n location as a separate facility. Therefore, to obtain a list that incorporated total facilities by\n security level and the date of upgrades, we developed the best supportable list that we could\n from the data SMD provided. We based table 1 on data SMD provided as of April 2012.\n Because EPA\xe2\x80\x99s lists combined facilities into a single entry in some cases, we acknowledge that\n the actual number of EPA facilities could be higher than the total included in our table. Based\nCONTACT\n on a report INFORMATION\n              we received from SMD that EPA submitted to OMB, as of July 2012 EPA planned\n to upgrade a total of 76 facilities (21 level 4s; 26 level 3s; 26 level 2s; and 3 level 1s).\n\n\n13-P-0200                                                                                        43\n\x0cIf you have any questions about responses related to the PACS upgrade, please contact Security\nManagement Division Director Tami Franklin at (202) 564-9218. If you have questions about\nresponses related to contracting, please contact Special Assistant to the Director of OAM Lisa\nMaass at (202) 564-2498.\n\n\n\n\n13-P-0200                                                                                    44\n\x0c                                                                             Appendix E\n\n                                   Distribution\nOffice of the Administrator\nDeputy Administrator\nAssistant Administrator for Administration and Resources Management\nPrincipal Deputy Assistant Administrator for Administration and Resources Management\nChief Financial Officer\nDeputy Chief Financial Officer\nDirector, Office of Budget, Office of the Chief Financial Officer\nDirector, Office of Human Resources, Office of Administration and Resources Management\nAgency Follow-Up Coordinator\nGeneral Counsel\nDeputy General Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-Up Coordinator, Office of the Chief Financial Officer\nAudit Follow-Up Coordinator, Office of Administration and Resources Management\n\n\n\n\n13-P-0200                                                                                45\n\x0c"